Camelot, the company that runs the UK National Lottery, announced today that approximately 26,500 customer accounts had been fraudulently accessed. The activity was discovered on Monday.
Camelot claims that “there has been no unauthorized access to core National Lottery systems or any of our databases;” that is, it has not been hacked. Instead it suggests that the attackers used emails and passwords stolen from another online service.
Camelot is also confident that the affected customers cannot directly lose financially from the activity, although some personal information will have been accessed. It adds, “We have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely.” This will undoubtedly lead to increased phishing activity as criminals pretend to be Camelot offering help while actually soliciting further personal information.
The incident demonstrates the need for a responsible partnership between online organization and users. Both have their part to play. Organizations should require two factor authentication (and there are now several frictionless biometric options available), while customers should never reuse passwords for any account that holds personal or financial details.
While Camelot is forcing affected customers to change their password, several security experts are suggesting that all Camelot users should do so. While this is good advice, it is not enough. There are certain parallels between this incident and an earlier incident at Tesco Bank less than one month ago.
In both cases it seems as if the attackers timed their activity over a weekend. A similar number of accounts were affected, and in both cases credentials stolen elsewhere were used. The possibility that attackers are automating the extraction of customer details from large stolen databases should not be ignored. If this is the case, then it is not just affected Camelot customers that should change their passwords, but anyone who has reused passwords for more than one account. Needless to say, if a two-factor authentication option is available, it should be adopted.
“There’s no doubt that when one database is breached, it’s common for the credentials stolen to be tried elsewhere,” comments ESET senior research fellow David Harley. “If you were a bad guy, why wouldn’t you try them elsewhere? It can be done manually, of course, but it doesn’t require a lot of effort to automate, either. Which is why I (and many other security commentators) routinely recommend that people don’t re-use credentials, at any rate for sites that use and may retain significant data.”
The danger, however, is whether these bad guys are able to find common third-party services among the millions of email addresses and passwords at their disposal; that is, if they can find a way of locating Tesco Bank customers, or Camelot customers within the databases. This would not be impossible. Among the stolen credentials there will be many that provide access to the users’ actual email accounts.
On Monday of this week, the New York Times published, “How Google Knows When Your Bills Are Due.” The answer is simple. “What is probably happening here is that Google is automatically scanning your Gmail messages for notices about package deliveries, flight times, restaurant invitations, and yes — bill reminders — and using the information in smartphone alerts for its Google Now/Google Assistant software.”
But anyone with access to an email account can scan the content, looking for whatever they want. “Perhaps the connection between Tesco Bank and Camelot are shared email addresses?” asks F-Secure’s Sean Sullivan. “It was thought that credentials (emails/passwords) were brute forced at Tesco. But perhaps some hackers have access to email accounts and know what services are used because of the content in the Inboxes. I would guess that there is crossover between Tesco customers and lottery players.”
Given the increasing use of automation by cyber criminals, and the potential for future use of machine learning in their endeavors, we should not dismiss the possibility of further weekend attacks against thousands of customers at individual pre-selected organizations.