The recent data breach at British Airways saw hackers steal the financial details of 380,000 customers.
It is the latest in a maelstrom of cyber attacks that are spreading computer viruses and installing malware to plunder bank accounts and make ransom demands.
The Mail on Sunday gained exclusive access to the secret service’s National Cyber Security Centre to discover more about this growing dark web threat.
The Mail on Sunday gained exclusive access to the secret service’s National Cyber Security Centre to discover more about the growing dark web threat
These days James Bond requires more than just a poison dart-firing fountain pen or an Aston Martin with revolving number plates. He also needs the skills of an IT expert.
While the secret agent may be a fictional character, his evil nemesis Spectre is becoming a reality. Led by super-villain Blofeld – portrayed by cat-stroking actor Donald Pleasence in You Only Live Twice – Spectre stands for Special Executive for Counter Intelligence, Terrorism, Revenge and Extortion. The shadowy organisation could also be used as a 21st Century description for the dark web.
To combat this growing threat of cyber terrorism, the National Cyber Security Centre was set up two years ago as a new arm of the Government’s intelligence service that includes the Security Service (MI5) and Secret Intelligence Service (MI6).
Controlled by the Government Communications Headquarters (GCHQ), which cracked the German Enigma codes in World War Two, it is housed in a grand office block close to the Secret Intelligence Service headquarters in Millbank, Central London.
Its cyber security technical director is Dr Ian Levy, who invited The Mail on Sunday into his lair to learn how its secret technology is defending us from an avalanche of cyber attacks.
The National Cyber Security Centre was set up two years ago as a new arm of the Government’s intelligence service that includes the Security Service (MI5) and Secret Intelligence Service (MI6)
Welcomed by half a dozen sharply dressed security guards in the foyer, we are ushered through two security level checks requiring separate colour code passes. A guide taps digits into the wall as we walk through bank vault-style doors to an open plan office.
There is no sign of Daniel Craig sitting at a desk doing his expenses and outside M’s meeting room Miss Moneypenny appears to have gone to lunch. Even the hat stand in the corner is missing.
The intelligence service has gone smart-casual. Dr Levy arrives sporting a trendy Ted Baker jacket, two-tone brown brogues and blue jeans.
He says: ‘There is a common misconception that cyber security is all spooks on the trail of hackers in hoodies. The reality is that cyber security is something we need to be open about. We use our technical expertise and knowledge to block an average of 4.5 million malicious emails a month that would otherwise reach computer users.’
A dedicated army of computer boffins housed within the top-security building works around the clock to keep up this cyber ring of steel for the nation.
Staying one step ahead of the hackers is a constant challenge and requires the best IT brains in Britain to develop new software to block the fraudster attacks. The moment a new phishing website targets our shores, an ‘active cyber defence’ unit pounces – blocking the criminal in an hour.
The National Cyber Security Centre’s technical director, Dr Ian Levy, invited The Mail on Sunday into his lair to learn how its secret technology is defending us from an avalanche of cyber attacks
Some 80,000 cyber attacks were thwarted last year – including 590 ‘significant instances’ that might have led to widespread computer virus infections and ransomware stealing our personal data. The centre also provides online security advice to up to 100,000 computer users a month.
The Secret Service’s behind-the-scenes work has been funded with a £1.9 billion cash injection from the Government. It is not only stopping millions of unwanted emails getting through but the centre’s work is also helping to crack down on copycat websites and block 120,000 spoof ‘@gov.uk’ addresses.
Foreign government hackers – from Russia, China and North Korea – are also regularly intercepted from the tell-tale way their software codes are written.
Levy says: ‘Our job is to make Britain an unattractive target for cyber criminals, but we are not a regulator. We are here to offer real support. There is no need to panic but we must all take cyber security seriously. As a computer user you should not only always back up data but consider using security software and password managers that store complex password codes on your behalf.’
The National Cyber Security Centre offers advice to combat fraud at ncsc.gov.uk. It also supports businesses wanting to improve their cyber security. Last year, it worked with the National Health Service when WannaCry ransomware hacked into the computers of 47 trusts.
Six ways to thwart cyber thieves
1. Be vigilant. It is a chore but checking your bank statements every month is essential. Call the bank if unsure about a transaction. Also use a credit checking agency for a one-off free check to ensure no one is using your personal information to set up loans. Agencies include Experian, Equifax and Callcredit. But resist signing up to a deal costing £15 a month.
2. Stay safe with anti-virus software. Although it can be free, consider paying £40 a year for security covering a variety of gadgets. Do not be tempted by ‘pop-up windows’ offering security – these can be a scam. Accept security software updates as they provide ongoing protection.
3. Use a strong password for any online accounts. Picture imaging can help for codes but also consider password manager software from £10 a year.
4. Do not share personal information. Social media may be fun but it is a great place for spies to obtain your private details – photos, birthday and holiday – that when pieced together like a jigsaw can compromise your financial security.
5. Be wary of public wi-fi. Fraudsters can hack into it – often offered in a cafe or train – to spy on what you are doing on your smartphone or laptop. Be wary of making payments or accessing bank details when unsure of a connection. Some tricksters even mimic public wi-fi to get your details.
6. Do not trust websites without first checking the suffix. Fraudsters can steal details and money through bogus websites. They may look official but the final letters often give the game away. For example, Airbnb cheats have used a ‘co.com’ suffix for fraudulent bookings to steal money. The real one is ‘co.uk’.
The prefix is worth checking out too. An ‘https’ prefix shows a website that is more secure than one that starts with just an ‘http’. The code stands for ‘hypertext transfer protocol secure’.
Fight email ‘phishing’ fraudsters
About 17 million victims in Britain were swindled out of a total of £4.6 billion last year as a result of cyber fraud, according to the software security firm Norton.
One of the most common methods employed by criminals to steal our money was by getting computer users to reveal key personal banking information through the sending of bogus emails.
Known as ‘phishing fraud’ the sender often pretends to be someone official to gain trust, perhaps posing as a bank official or tax inspector. There is usually a sense of urgency involved, such as a claim that someone else is emptying your bank account, thereby panicking you into taking rash action.
The best response is to stay calm and not reply. Often just checking the details of the email address from which the message was sent is enough to send alarm bells ringing. Spelling mistakes are rife because the senders are often based overseas.
Phone the company the email sender claims to be representing to check if they are real. A bank will never ask you to share your personal details with them or with anyone else.
Colin Tankard, of Harlow-based data security company Digital Pathways, says: ‘Look at whether the email address tallies with whom it claims to be from. Small spelling mistakes are a tell-tale sign something is up.
‘You might also do a search of an email address on Google to see if it is flagged up as a security risk.’
It is not just bogus emails that can trick you into revealing key personal information.
Also keep an eagle eye out for copycat websites. Accommodation websites, passport assistance and tax support services can look the real thing until you study the email’s suffix. For example, ‘co.uk’ is normally an indication of an official website. But ‘co.com’ could well suggest the website is a copycat, hoping to trick you into paying for services free from official websites.
Website ActionFraud offers advice to victims but you must first contact your bank and the police.
Get armed with security software
A common fraudster’s ploy is to pretend to offer technical support, luring victims to click on pop-up adverts that claim to speed up internet speeds or scan for computer malware.
But nothing could be further from the truth. They actually compromise computer performance and can install ‘Trojan horse’ software that spies on what you are doing on your computer.
Another menace is a ransomware attack, where malicious software is installed on a computer. It can happen by accidentally opening a ‘pop-up’ window appearing on your computer screen.
Once installed there may then be demands for £100 or more to stop the attacker sharing your personal details or website browsing information with others. They may also threaten to shut down your computer and destroy its memory.
Security expert Colin Tankard says: ‘It is not a question of if but rather when you will be hacked. But you need not allow it to keep you awake at night as there is antivirus software out there – some of it even free – that can help you combat the cyber criminals who are out to get you.’
About 17 million victims in Britain were swindled out of a total of £4.6 billion last year as a result of cyber fraud, according to the software security firm Norton
Household names such as Avira, Sophos, Symantec and McAfee can be trusted. Some, such as Avira and Sophos, offer free basic anti-virus systems to make sure your computer systems are clean. You might later upgrade to a ‘premium’ service for £40 or more a year for additional anti-virus protection.
Tankard adds: ‘Part of the armoury included in anti-virus software is the blocking of unwanted pop-up windows. These windows can put you on dark web lists that are then sold to other criminals.’
The security expert warns that you may not even be aware of malware that has been installed until it is too late. Once installed, so-called ‘man-in-the-middle’ fraudsters can see what you are looking at on your computer and the letters and numbers you are tapping out on a keyboard.
They will then strike when they see information you key in so as to get access to your bank account. The technique is a modern-day version of wire-tapping.
It is important to install legitimate software updates as these often include the latest measures that can be taken to help thwart criminals.
Security software should prevent malware attacks but if you still have problems seek computer support from a specialist IT repair shop. Repairs cost from £50 but you might have to pay more – £200 – to sort it out. A price worth paying.
Fraudsters are always trying to get their hands on security passwords so as to help them break into your computer
Hide passwords inside a safe vault
FRAUDSTERS are always trying to get their hands on security passwords so as to help them break into your computer.
Password manager software allows users to log into a secret vault of codes used for access to everyday services, from bank accounts to online shops. Once you have logged in using a single master password the software does all the rest – remembering all the different encrypted codes for the individual accounts you access regularly.
Among those worth considering are LastPass, 1Password, Dashlane, Norton Identity Safe and RoboForm. Basic secure wallet services are free but for access from several devices – computers, iPads and smartphones – it can cost between £10 and £20 a year.
Ruby Gonzales, of secure internet service provider Nord VPN, says: ‘Cyber criminals often only need your password to unlock the door to your private information and gain access to your finances.
‘These days it is no good just having a memorable password shared across different accounts.
‘You need high-tech help with a password manager where hard-to-crack codes are provided that get regularly changed. You do not need to remember them if you have specialist software to store them. All you then require is a master password.’
Be prepared for future cyber attacks
Knowing your enemy is one thing, but you must also remain vigilant and look out for the next cyber attack.
Ruby Gonzales says websites such as Have I Been Pwned are able to trawl websites to see if your email address comes up on a list of those that have fallen victim to a possible data breach – and are more likely to be attacked again. The term ‘pwn’ is hacking jargon for someone who uses computer programmes developed by others to attack systems – and take control of other people’s computers.
She says: ‘There is no need to panic but appearing on a list of data breach victims is a sure sign that it is high time to change your password. Adopt a new secure name not used on website accounts you might already have which is hard to crack.’
Cyber criminals are likely to target those in society that are potentially vulnerable. The elderly is the biggest target group while those seeking love are also prey.
Greed is another weakness fraudsters exploit. Such scams include claiming you have won a fortune in an international lottery, but in order to get the prize you need first to hand over cash. Con artists also rely on people sharing their lives on social media, using websites and apps such as Snapchat, Instagram and Facebook.
It does not take much for a criminal to piece together a jigsaw on someone who likes to share every detail of their social lives with others on the internet.