Protecting your personal data is important, whether you are a teenager or in retirement. A lot of people are confused about what they can do to avoid becoming victims of internet fraud. Cyber criminals use phishing attacks – email scams where they trick you to click a download link to viruses, or to open attachments that are no good for you. This is by far the most common way to steal someones data, and to abuse it.

There are two common ways hackers steal your money;

• They hold your computer hostage by using a virus type known as ransomeware or cryptovirus. What this does is it locks your computer files with a password, and they demand money to give you the password back. Sometimes they make you pay several times and don’t give it back to you anyway.
• They steal your payment data, like a credit card. Malware that monitors your purchases can send your credit card data to the hacker, who then abuses the credit card by buying things or paying to himself by setting up a merchant account with a credit card processing company like PayPal.

The question is: what can you do to avoid this? The following list contains about the same information that big companies are offering their employees as cyber awareness training. If you follow these 6 rules you will reduce the risk of this type of cyber attack by around 90%:

1. Always be critical of e-mails you receive and don’t open links or attachments you are not sure about. Check the actual internet address of the link and see if it makes sense before opening it. Copy and paste it into your browser instead of clicking it to see this. Don’t visit the site if it looks suspicious.
2. Keep all of your software up-to-date.  Software upgrades are normally security fixes – they are removing vulnerabilities hackers need to attack your software. Only use software from reputable sources.
3. Don’t use public open wifi without a virtual private network (VPN). A VPN creates a protected path for your data communication with the internet, making it impossible for hackers on the network to read your data traffic.
4. Always have antivirus software running on your computer, and a firewall.
5. Regularly back up your data. You can use a USB drive for this, and disconnect it when you are done backing up. This way hackers can’t lock your files away from you, because you have a safe backup they cannot reach.
6. Don’t use the same passwords for many online sites. Sites on the internet are hacked quite often, and if you have used the same email and password on many sites, they get access to everything. ID theft is a big problem, partly because people use the same password everywhere.

REMA1000 did not use any form of authentication on their customer database used by a loyalty program. They claim that this is nothing to worry about. I disagree. Identity theft, blackmail and potential surveillance are threats worth worrying about.

REMA1000, a Norwegian discount store chain, recently released a new customer loyalty program they named ‘Æ’. The letter ‘Æ’ is also the local word for ‘I’ in the Norwegian dialect in the area where Rema1000 is headquartered (Trondheim, the city where I live).

 

 

The way the loyalty system works, is that you install an app on your smartphone, and register your debit card in the app. Whenever you make a purchase they will register what you have bought, and you are offered a 10% discount on the 10 items you spend the most money on, as well as on all vegetables and fruits. Sounds like a sweet deal, right?

The problem is only that the app was launched without requiring any form of authentication between the app and the backend database. This is reported by the Norwegian newspaper Aftenposten.no today. The vulnerability would allow anyone to download customer data from their database, down to each item purchased, as well as key customer data such as phone mumbers and partial credit card numbers. The vulnerability was discovered by infosec professional Hallvared Nygård, who spoke to Stavanger Aftenblad about the issue (another Norwegian newspaper).

In a comment to Aftenposten, Rema1000 claims that they “take the situation seriously”, and accuse the security researcher of having obtained access to the information in an illegal way. They say customers have no reason to worry with regard to security with regard to the data they leave with the stores.

This attitude shows a lack of understanding of security risks from REMA1000. First of all, lack of authentication between frontend and backend in a web application is close to inexcusable. It would be disovered by any reasonable web app security scanner. Protecting database access through secure authentication is the core concept of web application security and should be taught in any introduction to secure development class at your nearest university. Even more worrisome is perhaps that REMA1000 claims customers have nothing to worry about. Identity theft, blackmail and surveillance is pretty serious stuff to worry about if you ask me.  On top of this, REMA1000 is seemingly looking to blame the security researcher for reporting the vulnerability.