New laws to protect consumers from cyber criminals come into force

From today, regulations enforcing consumer protections against hacking and cyber-attacks will take effect, mandating that internet-connected smart devices meet minimum-security standards by law.

  • World-first laws protecting UK consumers and businesses from hacking and cyber-attacks take effect today   
  • manufacturers of products such as phones, TVs and smart doorbells are now required to implement minimum security standards against cyber threats   
  • consumers will benefit from banning of easily guessable default passwords, marking a significant leap in protecting individuals, society and the economy from cyber criminals 

Consumer protections against hacking and cyber-attacks will come into force today, as all internet connected smart devices will be required by law to meet minimum-security standards. 

Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws.  

Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up.

This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers. 

The move marks a significant step towards boosting the UK’s resilience towards cyber-crime, as recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The new regime will also help give customers confidence in buying and using products, which will in turn help grow businesses and the economy.  

An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.   

 Minister for Cyber, Viscount Camrose said:   “As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. 

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.   

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

Data and Digital Infrastructure Minister, Julia Lopez, said: “Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.

“Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”

OPSS Chief Executive, Graham Russell said: “The use and ownership of consumer products that can connect to the internet or a network is growing rapidly. UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices.    

“As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.”

NCSC Deputy Director for Economy and Society, Sarah Lyons said:  “Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cyber criminals.  

“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy. 

“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.”

With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this new regime reinforces the government’s commitments to addressing these threats to society and the economy head on.  

The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.    

The new measures will also introduce a series of improved security protections to tackle the threat of cyber-crime:  

  • Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking  
  • Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with  
  • Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates  

Rocio Concha, Which? Director of Policy and Advocacy, said: “Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information. 

“The OPSS must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.

David Rogers, CEO of Copper Horse, said: “We started this work many years ago so that people would not have to understand lots about the security of connected product in order to be secure. Getting rid of things like default passwords that are set to ‘admin’ or ‘12345’ are fundamental basics.

“Manufacturers should not be providing anyone with products like webcams that are so weak and insecure that they are trivial to hack into and takeover. This stops now and people can have greater confidence that the internet connected products that they buy have better security measures built-in to protect them.”

The UK government has collaborated with industry leaders to introduce this raft of transformative protections, which also include manufacturers having to publish information on how to report security issues to increase the speed at which they can address these problems.

In addition, consumers and cyber security experts can play an active role in protecting themselves and society from cyber criminals by reporting any products which don’t comply to the Office for Product Safety and Standards (OPSS).   

The government is beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will be covered by alternative legislation.   

This new regime intends to increase consumer confidence in the security of the products they buy and use, delivering on one of the government’s five priorities to grow the economy.

The new laws are part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online.

Heartbreaking: Britons lose £204.5 million to dating scams, hacking and more in past 12 months

  • The UK reports losses of around £204.5M over the past 12 months due to personal, digitally driven crimes
  • Almost 23,000 cases of fraudulent activity relating to plastic cards and online bank accounts have been logged since September last year
  • Alarmingly, 49% of Brits don’t know if their smartphone has security software installed, or have none at all

Following last week’s Twitch data leaks on 4chan, a new study reveals that the UK’s public has lost as much as £204.5 million to personal, digitally driven crimes in the past 12 months. Additionally, as many as 26 million British adults – 49% of residents over the age of 16 – report either not knowing whether their smartphone has security software installed, or having none at all.

App development company Bacancy Technology analysed statistics drawn from the National Fraud Intelligence Bureau (NFIB), focusing on crimes more likely to befall members of the public – such as dating scams, personal and social media hacking, computer viruses and banking app fraud.

In total the UK has filed a total of 60,297 reports of criminal activity dating back to September of last year, culminating in a total loss of £204.5M to the personal finances of British citizens.

Across the selected categories, cyber-assisted crimes involving cheque, plastic card and online bank accounts have seen the highest number of incidents, at 22,981 reported cases, with an overall personal financial loss of £102.3M – an average of £4,451 per case.

Social media and email hacking ranks second highest in the list in terms of the number of reported incidents, standing at 12,225 reports over the last 12 months. However, the high volume of cases is offset by an average loss per case of £204 – amassing to an overall financial loss of a lesser £2.5M.

With Dating scams, it’s the opposite. A smaller number of reported cases (9,388 over 12 months) has resulted in Brits taking financial losses of £97,600,000 – with each individual case costing over £10,000 on average.

Ranking fourth and fifth on the list are reported crimes surrounding computer viruses/malware and personal hacking – which relates to hacked devices, rather than accounts. Despite a large number of reported incidents over the past 12 months (7,893 and 6,649 respectively), each of these crimes have resulted in smaller average losses per case, with figures under £100.

Top 5 personal digital crimes – UK, over 12 months (Oct 20 – Oct ’21)

Type of crimeNumber of reported crimesReported financial loss (in GBP)Average loss per case
Cheque, Plastic Card & Online Bank Accounts22,981£102,300,000£4,451
Hacking – Social Media & email12,225£2,500,000£204
Dating Scams9,388£97,600,000£10,396
Computer Virus/Malware/Spyware7,893£348,400£44
Hacking – Personal5,649£511,900£90

Despite the variety of security apps readily available on both the Apple and Android stores, around 26 million Brits – a total of 49% – may be at risk.

Further data drawn from an ONS survey shows that one in three Brits (32%) are unaware of whether their smartphones have security software installed, while almost one in five (17%, or nine million adults) reported not having security software of any kind – leaving them open to potential cyber-crime and fraudulent activity.

Do you have security software installed on your smartphone?

 All16-2425-3435-4445-5455-6465+
Automatically installed/provided with operating system40394636443738
Installed/subscribed118914131211
Do not have smartphone security1727181915911
Don’t know32262731294241

Commenting on the findings, a spokesperson for Bacancy Technology said: “Recent events in the news have highlighted the importance of maintaining security over our personal data and finances.

“Even so, it seems that while the British public are aware of the potential dangers of online activities, many are failing to take steps to adequately protect themselves and their loved ones. Digital security is of the utmost importance, and everyone with a smart device should take necessary precautions to ensure their safety.”

This research was conducted by app development company Bacancy Technology, an exclusive hub of top software developers, UI/UX designers, QA experts and more, offering development services aimed at the creation of high-end, enviable applications.

Millions with old routers at risk of being hacked in their homes

Millions of internet users could be at risk of hacking attacks due to using outdated routers from their broadband providers that have security flaws, a Which? investigation has found. 

Households across the country are using their home broadband more than ever, to work, educate their children or keep in touch with loved ones.

But many are unaware that old equipment provided by internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media and Vodafone, could be putting them at risk of hackers spying on what they are browsing online or even directing them to malicious websites used by scammers.

Which? investigated 13 old router models and found more than two-thirds – nine of them – had flaws that would likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.

The legislation is not yet in force and so the ISPs aren’t currently breaking any laws or regulations.

The consumer champion’s lab testing identified a range of issues with the routers. These security risks could potentially affect around 7.5 million people, based on the number of respondents who said they were using these router models in Which?’s nationally representative survey.

Around six million people within this group of users could be using a router that has not been updated since 2018 or earlier. This means the devices have not been receiving security updates which are crucial for defending them against cyber criminals.

The problems uncovered by Which?’s lab tests on the old router models that failed were:

  • Weak default passwords, which in certain circumstances could allow a cyber criminal to hack the router and access it from anywhere;
  • a lack of firmware updates, which are vital for both security and performance;
  • a local network vulnerability issue with the EE Brightbox 2. This could give a hacker full control of the device, and for example allow them to add malware or spyware, although they would have to be on the network already to attack.

The survey also suggested that 2.4 million users haven’t had a router upgrade in the last five years.

Which? is concerned that many customers are being left using old kit, often with no guarantee of an upgrade, and is encouraging consumers in this position to talk to their broadband provider about getting an upgrade.

In contrast to the other ISPs, the old BT and Plusnet routers that Which? tested all passed the security tests – researchers didn’t find password issues, a lack of firmware updates or a local network vulnerability with these devices.

When Which? contacted the ISPs with its findings, most of them said that they monitor for security threats and provide updates if needed.

BT Group told Which? that older routers still receive security patches if problems are found – although Which? did find an unfixed vulnerability on the EE (part of the BT Group) Brightbox 2 router.

Aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of the number of customers using their old routers. Virgin said that it did not recognise or accept the findings of the Which? research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.

However Which? notes that Virgin was counting just paying account holders, whereas Which?’s survey was of anyone using routers within a household.

Which? believes that ISPs should be more upfront about how long routers will receive firmware and security updates – one of the requirements of proposed government laws to tackle unsecure devices – and encourage people to upgrade devices that are at risk.

As part of its proposed legislation to tackle unsecure devices, Which? is also calling for the government to ban default passwords and also prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.

The consumer champion also believes broadband providers should be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them. Only Sky, Virgin Media and Vodafone appeared to have dedicated web pages for this.

Consumers with routers that are five years old or more should ask their provider if the device is still supported with security updates and if it is not they should ask for an upgrade.

Kate Bevan, Which? Computing editor, said: “Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.

“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.

“Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Five ways to keep your personal data safe from hackers this Cyber Monday

New research reveals that nearly half (49%) of UK adults have not installed or didn’t know whether their mobile phone has security software. So keeping personal data safe from hackers has never been more important. 

In the wrong hands, stolen data can be used by hackers for illegal activity such as applying for loans or credit cards under a victim’s name, or bank accounts being accessed and money withdrawn.  

To help keep data safe, leading insurance provider, Insurance2go, shares five ways mobile phone users can help to protect personal data stored on their device.

  1. Be cautious of public Wi-Fi 

Using public Wi-Fi is great for those who have a low data allowance, or are running out of mobile data. However, public networks often don’t provide a secure connection, making it easy for hackers to use them to access personal data.  

Hackers targeting public Wi-Fi hotspots are able to use what is known as a ‘man-in-the-middle’ attack, which is when a hacker intercepts financial information, passwords and log-in information through a public network.  

Always avoid using mobile banking apps or making online purchases whilst logged onto a public Wi-Fi network. For those who do need to use public Wi-Fi, use a Virtual Private Network (VPN) app. A VPN can protect data from getting into the wrong hands by encrypting online data and keeping personal information secure when using a public Wi-Fi connection.  

  1. Turn off ‘sharing’ settings when not in use 

Smartphone features that share a location should be used with caution and always turned off when not in use. Features such as Bluetooth, Wi-Fi, location services, mobile data and Near Field Communication (NFC) are susceptible to hacking, especially Bluetooth location services as they transmit a device’s location and presence. 

Hackers can easily get hold of personal information and data through features that mark a phone as ‘visible’, so always make sure to disable such features when they are not needed. 

  1. Only download legitimate apps 

Downloading illegitimate apps is another way to open your personal data up to hackers. Often, apps hosted on some websites or third-party app stores can contain malware and can access data once downloaded. It’s recommended that users only download apps from the official app stores, so App Store for iOS users, Google Play for Android users or the AppGallery for Huawei owners. 

  1. Be wary of app permissions 

When an app is first downloaded, it often asks for ‘permission’ to access certain features or information held on a mobile phone. From the camera roll, to your speaker, location or phone contact list, apps can ask for a range of permissions in order for certain functions to work.  

Be cautious of what information an app is requesting access to and question whether the app actually needs that information. For example, a photo editing app doesn’t need contact list information in order to function correctly, so take the time to properly think about whether or not that information is needed. 

Viral video app, TikTok, recently came under fire for security issues in the US, with reports claiming that the Pentagon warned U.S. military personnel in January to delete TikTok from their phones and India, last month, banned Tik-Tok amongst other apps, over security and privacy concerns so it’s always important to review what permissions are being asked for by an app. 

  1. Avoid using auto-login 

Whilst it’s recommended to have a variety of passwords for online accounts rather than the same password, auto-login gives hackers easy access to personal data by simply opening up an app or webpage. For those likely to forget multiple passwords, note them down in a secure, password protected note on a phone, or in a notebook that is kept secure and stored away. 

And it’s not just using your mobile phone that can open your personal data up to hackers. What happens if your mobile phone is lost or stolen? Insurance2go  shares some useful tips for people who might find themselves in this scenario and want to keep their personal data safe: 

  1. Firstly, report the phone as missing to the network provider, who can suspend or disconnect the service to the phone. This can help stop any authorised use of the phone if it falls into the wrong hands. 
  1. If the mobile phone is known to be stolen, inform the police who will be able to provide a crime number, which can be used if the user needs to inform an insurance provider.    
  1. Most smartphones now have a built in ‘kill switch’, which can allow a user to remotely deactivate a device if it’s lost or stolen. In order to work, the feature needs to be enabled. For iPhone users, the ‘Activation Lock’ can be enabled within the‘Find My’ app to help keep data safe. Firstly, go to the‘Find My’app > Tap thedevices tab and choose which device is lost or stolen, then tap Activate under ‘Mark as Lost’and follow the prompts on screen. Android users can enable the kill switch with ‘Find My Device’. Go to Settings >Google>Security, then turn on ‘Remotely locate this device’and ‘Allow remote lock and erase’
  1. Finally, immediately change passwords for any accounts or apps that can be accessed on the mobile phone. Prioritise any important accounts first, such as online banking and other associated accounts. 

Richard Gray, Head of Marketing and Digital, at Insurance2go said: “Our mobile phones are home to lots of stored data and without correctly protecting your personal information, it could easily land in the wrong hands. 

“‘SIM-jacking’ is a common method where hackers are able to use stolen data to obtain a Porting Authorisation Code (PAC). This can then be used to switch the victim’s phone number to another phone on another network, helping them gain access to a range of personal data and information, often including banking details. 

“Protecting data stored on a mobile phone is extremely important. Hackers are often creating new ways to get a hold of our data, so we hope that by sharing our tips, we can help people avoid getting caught out by fraudsters.” 

To find out more about VPNs and how to protect data whilst on a public Wi-Fi, please visit: https://www.Insurance2go .co.uk/about/news-blog/blog/everything-you-ve-ever-wanted-to-know-about-vpns 

Top security tips to protect yourself against fraud this Christmas

Black Friday marked the start of the festive season, not just for us, but for criminals too. We will all be frantically seeking out some Christmas bargains both on the high street and online.  It’s easy to get carried away with the festive cheer but remember the old adage ‘If something looks too good to be true then generally it is.’  

If you’re concerned about fraud, Head of Information Security at Atom bank, Jon Holden, has provided some useful tips to keep you protected and to ensure you don’t put yourself in danger:

  1. Be wise and choose where you shop carefully

“When buying online, look for the padlock or lock icon located in the web browser. Check out the feedback section for buyer reviews and ask if the seller has a returns policy. Do they have a physical address or are they only contactable via phone or email – this may be a red flag!

“Use a credit card when making a big money purchase, as the majority of card companies have online insurance from their customers. Be mindful that some products may be counterfeit – top end designer goods are rarely discounted so you may be buying counterfeit goods.”

  1. Don’t click on links in unsolicited emails or share too much information

“Fraudsters send out phishing emails which may appear to be from a legitimate online company from which you have previously made a purchase, requesting that you are required to update your payment card details.

Check the URL in your web browser. Fraudsters change an address ever so slightly in the hope that you won’t notice that it isn’t the genuine website e.g. www.pay.pa1.com.

“If you are in any doubt contact the company direct i.e. not via the link. Don’t share too much information and only complete what is required. If you feel uncomfortable with the information you’re being asked for then don’t share it.”

  1. Update your apps, browsers,  PCs, phones, iPads, tablets…

“Regularly check and install the latest software and app updates on your devices. They contain important security updates that can protect you against malware and fraud.”

  1. Use strong passwords and switch on multi-factor authentication

“It might seem obvious, but many people still use simple and straightforward passwords that are easily guessed by fraudsters. Hackers usually work through lists of common passwords searching for the right combination, and once they’ve guessed your log in details for one account, they could use your credentials to access multiple websites.

“Use unique passwords for each service you use. Make sure they don’t include names or key dates like your birthday as this could put you at risk. Make it hard to guess by using upper and lower-case letters, special characters and numbers, but not so hard that you won’t remember and have to write it down. Also switch on multi-factor authentication, this will keep you extra protected as it will ask for two or more pieces of evidence to gain access to your account.”

  1. If you’re shopping online on a public/shared computer – don’t click on ‘remember me’ 

“When using a public/shared computer, make sure you log out before leaving the machine and don’t click on ‘remember me’ as that could allow the next user to log in to your account.”

“Selecting the ‘remember my card details’ option is very convenient for future purchases, but means you’re putting a lot of trust in the company behind the website. If they don’t store your details, they can’t lose your details to hackers!”