Saturday, 3 December 2016

UK National Lottery Accounts Breached

Camelot claims that "there has been no unauthorized access to core National Lottery systems or any of our databases;" that is, it has not been hacked. Instead it suggests that the attackers used emails and passwords stolen from another online service.

Camelot, the company that runs the UK National Lottery, announced today that approximately 26,500 customer accounts had been fraudulently accessed. The activity was discovered on Monday.

Camelot is also confident that the affected customers cannot directly lose financially from the activity, although some personal information will have been accessed. It adds, "We have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely." This will undoubtedly lead to increased phishing activity as criminals pretend to be Camelot offering help while actually soliciting further personal information.

The incident demonstrates the need for a responsible partnership between online organization and users. Both have their part to play. Organizations should require two factor authentication (and there are now several frictionless biometric options available), while customers should never reuse passwords for any account that holds personal or financial details

In both cases it seems as if the attackers timed their activity over a weekend. A similar number of accounts were affected, and in both cases credentials stolen elsewhere were used. The possibility that attackers are automating the extraction of customer details from large stolen databases should not be ignored. If this is the case, then it is not just affected Camelot customers that should change their passwords, but anyone who has reused passwords for more than one account. Needless to say, if a two-factor authentication option is available, it should be adopted.

"There's no doubt that when one database is breached, it's common for the credentials stolen to be tried elsewhere," comments ESET senior research fellow David Harley. "If you were a bad guy, why wouldn’t you try them elsewhere? It can be done manually, of course, but it doesn’t require a lot of effort to automate, either. Which is why I (and many other security commentators) routinely recommend that people don't re-use credentials, at any rate for sites that use and may retain significant data."

The danger, however, is whether these bad guys are able to find common third-party services among the millions of email addresses and passwords at their disposal; that is, if they can find a way of locating Tesco Bank customers, or Camelot customers within the databases. This would not be impossible. Among the stolen credentials there will be many that provide access to the users' actual email accounts.