Help secure the top UK entry point for cyberfraud

1)  The NHS is by far the UK’s most trusted brand. It is therefore the entry point of choice. What are the consequences?

• “NHS” is the UK’s most trusted brand. Until recently it was one of the least protected/secure. There have been significant improvements in recent months but, as a result of Covid, impersonating the NHS now comes alongside impersonating Telcos, ISPs and HMRC as a vector of choice for fraudsters, abusers and the organised criminals seeking to infiltrate corporate systems via their home-based workers. It may now be THE vector of choice.
• The Covid-19 lockdown has led to an explosion of fraud and abuse, both on-line and in the “real” world. The problems are not confined to the UK. Around the world organised crime has adapted  to exploit the opportunities to  pillage central and local government relief programmes, private sector organisations with large numbers of homeworkers, SMEs and charities as well as all those, from children to pensioners, herded on-line in the isolation of their homes with all else closed to them.
• Longstanding weaknesses in the telephone numbering and Internet addressing systems mean it is impractical for a member of the public to check that a text, telephone call or e-mail purporting to come from the NHS Test and Trace service is genuine.  The same applies to unencrypted electronic communications from HMRC, DWP or anyone else.
• Current guidance on using Test and Trace is therefore based on trying to ensure that those contacted will respond by contacting the Test and Trace service via the website and telephone number published in the official guidance.
• The way blue tooth operates limits its value in indicating who the carriers of suitable mobile phones may have been exposed to. Automated blue-tooth contact with the devices of other users can expose phones to the installation of monitoring and surveillance software of unknown source/provenance.
• Steps can be taken to significantly reduce the vulnerabilities but require co-operation between Government, law enforcement and industry, particularly Telcos, ISPs and Technology suppliers that is not yet in serious prospect.
• Steps can be taken to identify fraudsters, abusers and those who aid and abet them but these commonly require co-operation between law enforcement, telcos, ISPs and security operations (both public and private sector) that is not yet in serious prospect.
• Most serious data protection and privacy breaches involve insiders (e.g. in call centres, help desks or compliance/security teams). There is already a known problem with honour killings etc. resulting from leaked information from health, welfare, legal and law enforcement records regarding the location and/or personal contacts of the victim.
• A problem in deterring such behaviour is the absence of personal custodial sentences (as per sections 77 and 78 of the Criminal Justice and Immigration Act 2008 which were not implemented and were then repealed by the Data Protection Act 2018).
• There is a need to provide realistic guidance to give the public confidence in the security of the Test and Trace service and any accompanying systems. It would be good to also take the opportunity to improve the security of NHS systems as a whole and better deter/address abuse/fraud overall.
• Many/most of the necessary actions require co-operation with others outside the NHS.

As unpaid research assistant  to Lord Lucas , I therefore drafted a series of questions (Section 4 below) to try to help ensure that officials are given the terms of reference and budgets necessary to secure the main honeypot for those using Covid-related “lures” to gain access to corporate systems via home-based workers. Below is the draft brief to explain the background to those questions.

At the end of this blog are the formal answers to the questions as asked (section 5).

Now comes the time for ministers to ask their officials for “real” answers, for the officials to ask their suppliers and for you to take action to secure your organisations, your customers and yourselves from the consequences of inaction.

You might also wish to brief your member of parliament and the political party of your choice with regard to what you think should be done.

The theme of “When IT Meets Politics” has always been that the silent majority gets what it deserves … ignored. 

Hence this post and the request at the end for authoritative links to help MPs, Ministers and Officials ask better questions of those offering their services to help.

2) The NHS is trusted in a way that Apple/Google are not

Much recent publicity has been devoted to claims that the Apple/Google “decentralised” approach is somehow more secure and less of an assault on personal privacy than that being tested by NHSX.  The Trinity College Dublin study confirms the view that Bluetooth rather than data protection is the problem but leaves open the question of whether protecting data or protecting lives should have priority . Ross Anderson (inter alia privacy advisor to the BMA) summarised the issues (including the problems with blue tooth) well in his blog on Contact Tracing in the Real World in April.

The problems with false positives/negatives do not mean Bluetooth-based data  is useless, merely that is a guide to be used alongside other data sets (eg GPS, wifi, surveillance, dialogue). GPS is useful only out of doors. Wifi may help in large building with multiple access points. But in many indoor cases (e.g. in a railway carriage) only Bluetooth can, subject to its limitations, provide useful data.

On May 18^th the initial findings of a study by academics from Warwick and Birmingham Universities into public views on tracing apps were made available on Github: “61.6% believed Apple and Google would be somewhat or extremely likely to access the data for other reasons … This level of distrust is much more pronounced than the distrust in government.”

By contrast 84.2% would probably or definitely be willing to share with the NHS. Sharing with “researchers” was more acceptable than local or national government. Sharing with other users was significantly less popular than either. Over half were moderately or extremely concerned that other users could re-identify them. Only 15% expressed concern about re-identification by the NHS.

Depending on how the question is asked, between 2/3 and 3/4 of participants in the study would be probably or definitely download an app, with only 17.6% saying they would probably or definitely not. 9.6 would opt out of any contract tracing app. The recipient of any shared data, whether  anonymised or not, determines acceptability.

3) Spoofing an NHS Branded Service is therefore a major risk for UK plc as a whole

The risk register for the Privacy Impact assessment for the Isle of Wight pilot for the NHSX contact tracing support app left out the biggest risk – that of fraudsters tricking the UK public to sign up to imitation apps in advance of well protected and authenticated processes for signing up to a genuine NHS branded app.

Police and trading standards have long warned of fraud by those offering testing services or demanding access to homes as part of testing. These warnings imply that the risk is primarily to individuals. The Covid-19 lockdown led to an explosion of fraud and abuse as traditional UK criminals moved on-line to join organised crime around the world in adapting  to exploit the opportunities to  pillage central and local government relief programmes, private sector organisations with large numbers of homeworkers, SMEs and charities as well as all those children, consumers, pensioners etc. isolated in their homes. About half the UK workforce currently work remotely. It is said that third of SMEs have fallen victim to phishing attacks, half of them Covid related.

The involvement of UK fraudsters has led to more realistic imitations of the house styles of the NHS, HMRC, Gov.UK, DWP and other trusted UK “brands. This has led to changes in advice, as with this NCSC advisory notice carrying recent examples .  NCSC has also issued a more specific advisory notice to combat “password spraying” attacks in the name of the WHO, NHS and others, targeted at remote workers, including research staff, in the UK and US health care industries.

Meanwhile all large organisations (whether public or private) which moved rapidly to enable staff (and, in the case of education, pupils and students) to work from home without implementing DNS checking (DKIM, SPF , DMARC plus the necessary checking services on e-mail routers etc.) are now exposed to fraud by those impersonating their corporate e-mail services and those of their customers, suppliers and partners.  The problem is at is most acute with regard to attacks using imitations of the UK’s best known and most trusted brand (the NHS) to obtain the clicks necessary to insert their “payload” into the system of the homeworker, pupil, teacher or parent.

In consequence the City of London Police said “Whilst it is possible for criminals to fake official phone numbers, they cannot fake official website addresses. We would encourage anyone with concerns about a phone call, text message or email they have received, in relation to Test and Trace, to check the website address being provided to you carefully. If possible, type the official address, which will be https://contact-tracing.phe.gov.uk followed by unique characters given to you, directly into your browser.”

4) The Questions to be asked regarding Track and Trace and the issues behind the questions

4.1) What guidance is being provided to the public, via which channels, to help reduce the risk of them being defrauded by those impersonating the staff of Test and Trace and/or the texts, e-mails and phone calls they sent?

The need is for clear and well published guidance so that the public is aware of how to avoid being abused/defrauded by those whose probity/verity they cannot realistically check.

The guidance on the Test and Trace website https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works does not yet cover all the points made by the  City of London Police spokesperson  who said:

“Unfortunately, criminals will exploit every opportunity they can to defraud innocent people of their money, or steal their personal details.

“This government service is extremely important in the fight against coronavirus and it’s vital the public get on board with it. However, we understand the concerns people have about the opportunity for criminals to commit scams and we are aware from media reports that some scam texts are already in circulation.

“It’s important to remember that NHS Test and Trace will never ask you for financial details, PINs or banking passwords. They will also never visit your home.

 “Whilst it is possible for criminals to fake official phone numbers, they cannot fake official website addresses. We would encourage anyone with concerns about a phone call, text message or email they have received, in relation to Test and Trace, to check the website address being provided to you carefully. If possible, type the official address, which will be https://contact-tracing.phe.gov.uk followed by unique characters given to you, directly into your browser.

“If you think you have been sent a scam message, please report it to Action Fraud.”

For example the main Test and Trace information website contains an embedded link to the test website  https://contact-tracing.phe.gov.uk/ rather than spelling out the website address. There is also a need to, for example, tell those who have received a phone call to check that their line has been cleared before they try to ring back on the official number.

Such basic messages, from mainstream guidance on fraud prevention, need repeating because many of those contacted by Track and Trace, or those impersonating it, may not be aware of them. Conversely we know from attempts to contact those in isolation to organise food parcels and medicine deliveries that many are now so scared of fraud that they refuse to answer the phone at all. that many Repetition also enhances confidence that the safety/security of those contacted are taken seriously.

4.2) Who is responsible for taking steps to reduce the risk of the public receiving calls purporting to come from the official text and phone number but not actually doing so?

In its guidance on Number Spoofing Scams Ofcom says it is “working with the International Regulators – as well as the telecoms industry- to find solutions to the problem”. What progress is it making? Who is putting what pressure on Ofcom and the telecoms industry, to implement some of the “solutions” that have already been proposed to help reduce the problem.

Ofcom refers to the IETF group set up to “tackle the issues” related to VOIP spoofing. How active are it and the UK telcos with regard to testing and/or implementing the “solutions” that have been proposed which might reduce, albeit not eliminate, the problems as they affect those in the UK.

4.3) Who is responsible for taking steps to reduce the risk of the public receiving calls and/or e-mails purporting to come from the local authority and other teams involved?

 On May 21^st the “Minister” confirmed (written answer to WPQ 46814) that NHSmail is now fully  DMARC compliant. “This service fully implements the Domain-based Message Authentication, Reporting and Conformance (DMARC) controls with a policy set to reject any emails that fail the DMARC checks.”

The situation is less good across the rest of Health and Social Care. There is only “ a secure email standard to ensure email is securely exchanged. The information standard is published under section 250 of the Health and Social Care Act 2012 and all NHS organisations are required to give due regard to the standard. It also requires NHS organisations not using NHSmail to have a DMARC policy of ‘quarantine’ and an agreed timeline for implementing a ‘reject’ policy.”

Who is checking implementation against the standard? There is a need to also check the policies of the contractors used by Test and Trace, particularly to communicate with their home-based workers.

Also what are the processes to facilitate security co-operation with Local Government Public Health teams, e.g. via the Local Government WARPs

4.4) What are the penalties (under civil or criminal law) for those organising Covid-related frauds, those aiding and abetting them and for those who fail to take reasonable steps to protect their customers?

 The Covid cyberfraud pandemic has added urgency to the long overdue need to work with the CPS Policy team to produce and publicise guidance based on their material on cybercrime offences akin to that on prosecuting Social Media Offences . This is expected to similarly reveal similarly serious gaps.

4.5) What are the penalties for those employed in the Test and Trace operations, whether as individuals or as organisations, for misusing the information to which they have access?  

The power to impose custodial sentences (Sections 77 and 78 of the Criminal Justice and Immigration Act 2008 relating to the offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998) was not implemented. It was then repealed by the Data Protection Act 2018. The current penalties for individuals, as opposed to the organisations employing them, are unclear. Once again it would be helpful to obtain guidance from the CPS policy team.

The answer to QWA HL3706, May 7th) said “Existing law and NHS standards set out a framework of protective measures to ensure the app is legally compliant and meets the standards expected to keep data secure and confidential. This includes GDPR and the Data Protection Act 2018, and the Common Law Duty of Confidentiality in cases where data is provided that might identify an individual.

The data protection legislation provides the Information Commissioner with a range of enforcement powers to ensure organisations comply. As well as significant financial penalties for non-compliance, the 2018 Act includes a range of criminal offences for the very worst breaches of the legislation. This includes the offences of unlawfully obtaining data and re-identifying personal data that has been pseudonymised without lawful excuse. We are satisfied this provides a comprehensive framework and have no plans to increase the maximum penalties of any offences under the Act.”

Also what are the penalties for those making malicious repots on symptoms and/or contacts in order to close down businesses or progress personal feuds

4.6) What is the process for reporting suspicious texts, e-mails and phone calls and to whom should these be reported – Action Fraud (in which case are there any plans for a separate, simpler. process accessed from the main page) or, in the case of e-mails, via the Suspicious E-mail Reporting Service? 

The answer to QWA HL3707(May 14^th) was: “The public should make all reports of fraudulent phishing emails and telephone calls to Action Fraud which is the national reporting facility for fraud and cyber crime … Action Fraud takes reports via its call centre and website. The contact centre’s operating hours are from 08:00 to 20:00 (Monday to Friday) but reports can be made at any time using their online reporting tool. There is also a dedicated 24/7 call service for live cyber incidents. The web pages can be found at: https://www.actionfraud.police.uk/

Crime reports received by Action Fraud are considered by the National Fraud Intelligence Bureau (NFIB), both of which are operated by the City of London Police, the UK’s national lead force for Fraud. Where enough evidence is available and viable leads are identified, actionable intelligence packages are created and sent to the appropriate local police force for them to consider whether they will adopt the report and commence enforcement activity. It remains the responsibility of local police to consider whether to progress any enforcement activity even where viable lines of enquiry have been identified by NFIB. Individuals can check the status of their reports through the website to see whether it’s been disseminated to a local force for investigation, and if an outcome has been recorded.

NFIB can also take down fraudulent websites, telephone numbers and close bank accounts linked to fraud.

Reports not deemed viable for investigation remain under constant consideration for links to newly reported crimes. The intelligence is also used to identify opportunities to disrupt offenders and to protect victims and prevent further frauds through warnings given out by Action Fraud through various channels and in collaboration with other counter fraud bodies and organisations.”

There was no reference to the Suspicious E-Mail Reporting System . This automates one of the most labour intensive parts of the system, collating unusable “reports” into actionable intelligence. The sharp increase in “Covid-themed” attacks, many using wording related to Testing and Tracing processes as part of the “bait”, threatens to further overload Action Fraud. There is a need to revisit the guidance in consultation with NCSC, NPCC, Trading standards and others.

Consideration should be given to a separate reporting process to help protect the NHS “brand”. This might be usefully linked to the global “brand protection” services already used by many Global Health Care providers, including most leading pharmaceutical companies and many other suppliers to the NHS.

4.7) What supplementary budgets/resources are being provided to Action Fraud and/or the Suspicious E-mail  Reporting Service to handle the likely volume of impersonation and fraud and take effective action against the perpetrators? 

 Plans have been made to automate many of the more labour intensive intelligence gathering and reporting processes but there is a need to work more closely with industry, perhaps using processes akin to those of the NCFTA . The NCFTA was originally created to handle the problems of co-operation across the 25,000 (yes 25,000!) police forces and law enforcement agencies of the USA. It is now arguably the world’s most powerful cross-boundary law enforcement co-operative. It already hosts collaborations between Law enforcement agencies and Health and Welfare providers around the world. The NCFTA “Pharmaceutical Fraud Initiative”, part of the euphemistically named Brand Protection Programme , has organised global co-operation to take down several international organised crime networks whose production and sale of imitation medical products were a serious risk to public health. Such co-operation has included simultaneous raids around the world by local law enforcement in parallel with threats of victim-funded civil action for damages against those in the Internet supply chain who do not “voluntarily” co-operate with law enforcement.

Many of the large UK-based businesses with which NCSC and its partners are seeking to work have already helped fund NCFTA exercises to “take out” those causing grief to themselves and their customers, using whatever mix of local, national and international civil and criminal law (and resources) is necessary.

The NHS should also participate in such exercises, alongside its suppliers and UK law enforcement. It should use the opportunity to build on the links and processes that already exist to enable the treaty-based process of formal law enforcement to be bypassed using local co-operation in the common good.

UK law enforcement agencies already work with and through the NCFTA on operations for which public credit is subsequently given to Interpol or Europol. These were not, however, organised via them because of the need to inform untrusted law enforcement agencies. This may well be the case with regard to some of the global Covid-related frauds

4.8) Are there any plans to rationalise/update “legacy” guidance sites which still route most reporting to Action Fraud. For example https://www.gov.uk/report-suspicious-emails-websites-phishing

 There are significant inconsistencies between Central Government and Police websites. These include whether Covid phishing e-mails should be reporting to Action Fraud or via the Suspicious E-mail Reporting services.

An exercise by a security supplier which identified over 10,000 Covid-themed websites found that over 2.5% contained  malicious code and over 12% more appeared suspicious. Whatever the precise figures there is a problem.

There is a need for regularly and authoritative guidance to reduce the risk of downloading Covid-themed mobile phone (and other apps) and/or or visiting web-sites (some widely promoted via social  media and search engines)  designed primarily to collect information to aid fraud.

5) The formal Parliamentary Questions and Answers

Question:  HL5220  To ask Her Majesty’s Government what guidance they are providing to the public, and via which channels, to help them reduce the risk of being defrauded by those impersonating the staff of the NHS test and trace service through texts, emails and phone calls; and who is responsible for taking steps to reduce the risk of such attempted frauds. (HL5220)

Answer: The NHS Test and Trace service was launched on 28 May 2020 and information on how the service will contact people by text, email and phone was published on 27 May in an online only format on GOV.UK. Guidance on advice on how to protect yourself and business from fraud and cyber crime was released by the Home Office. This is available in an online only format on GOV.UK. It was last updated on 27 April 2020.

Question: HL5221 To ask Her Majesty’s Government who is responsible for reducing the risk of the public receiving fraudulent calls or emails purporting to come from the local authority and other teams involved in the NHS test and trace service.

Question: HL5222 To ask Her Majesty’s Government what are the penalties under civil or criminal law for (1) those organising frauds relating to the NHS test and trace service, (2) those aiding and abetting them, and (3) those who fail to take reasonable steps to protect their customers against such fraud; and what are the penalties for those employed in the NHS test and trace service, whether as individuals or as organisations, for misusing the information to which they have access.

Question: HL5223 To ask Her Majesty’s Government what is the process for reporting suspicious texts, emails and phone calls purporting to relate to the NHS test and trace service; to whom should such reports be made; whether Action Fraud and the Suspicious Email Reporting Service are involved; and, if so, whether there any plans for a separate, simpler process accessed from the main page of Action Fraud. (HL5223)

Answer (to Questions 5221, 2 and 3)
The Government launched its new NHS Test and Trace service on 28 May 2020. This includes enhanced contact tracing.

NHS Test and Trace has been developed to government security standards and we have been working with the National Cyber Security Centre, on measures to keep the public safe. The NHS Test and Trace service uses text messages, email or phone. All text or emails will ask people to sign into the NHS Test and Trace contact tracing website with a set of unique characters provided alongside a secure link to the site. For those people that are unable to respond via email or text, perhaps because they do not have those options available to them, a phone-based service will contact them and support them through the process.

If the public are concerned about whether a call or email they receive comes from NHS Test and Trace service they can visit GOV.UK and view a page which lists the official phone numbers used by this service and can also check what is and is not going to be asked.

If anyone thinks they have been sent a scam message, they can report it to Action Fraud. If people receive an email which they are not quite sure about, they can forward it to the National Cyber Security Centre’s Suspicious Email Reporting Service and to report a spam text, they can forward the message to Ofcom’s spam texting service on 7726.

Any action to investigate reports of potential fraud will fall to the police / National Crime Agency and if prosecuted it will be for the courts to decide sentencing.

6) The Feedback I am seeking from YOU

As well as comment on any significant errors and omissions in the material above, I wish to identify authoritative and quotable sources on:

• The security or otherwise of blue-tooth enabled apps, including the risks of spoofing, data exchange, device infiltration etc. In section 2 I refer to the Warwick/Birmingham University study which refers to concerns about sharing data with other users (e.g. those around you in the train carriage or on the bus). I would like to add links to equally robust/authoritative material indicating how far those fears are shared with regard to other uses or by other audiences. I would also like to reference intelligible (to non-technical audiences) material on how far those concerns are rational and/or reasonable with regard to product and services as shipped and used.
• The current state of play with regard to reducing the risk of CLI and VOIP spoofing, including the ITU and IETF exercises referred to by Ofcom (Question 4.2)
• The current penalties for those organising or facilitating Covid-related frauds (Question 4.4)
• The current penalties for individuals employed in the Track and Trace programme as well as for their employers (Question 4.5).
• Current processes for international co-operation e.g. via the NCFTA Pharmaceutical Fraud Initiative (Question 4.7).
• Current sources of relevant security guidance and support and the channels used for communicating that guidance (Question 4.8). It is apparent that the absence of authoritative “registers” of reputable sites, sources of guidance, training or support, including for victims, is a serious problem. I believe we need to expedite, not just discuss, action on this problem.