Image for post
Image for post

Where There’s Money, There’s A “Professional” Scammer

“Hello. I’m Dr Clock. Isn’t the weather wonderful today? I’m your contact tracer from Dr Click’s practice. Before we start, can you just go to this web site, and download the App for me?”

For those that remember the Talk Talk cybersecurity incident, there was a sharp intake of breath, when England’s Depute Chief Medical officer annouced that you will be able to tell that someone is not a scammer, as they will sound “professional”:

Dido Harding (currently in charge of the Track and Trace programme), at the time of the Talk Talk incident, said something similar, and that:

“You will be able to tell that the email is from us, as it will have a Talk Talk link in the email, and the subject field will have something related to Talk Talk”.

Basically, if there’s money to be gained, the scammers will be as professional as you want, and can even target individuals. For example, Hamilton FC lost over £1 million though a targeted scamming campaign. There is thus little in the contact tracing programme that would allow someone to tell the difference between a “professional” and a scammer.

There’s little to stop the scammer from asking the same questions as the professional, and there’s little to stop them from asking for your credit card details for a test at the end of the conversation.

There’s little to stop the scammer from asking you to go to a URL that sounds like the NHS and download a track and trace App, and which is simply installing a remote desktop on your computer. Once installed, the scammer can be into your computer, and stealing your data, and watching you login into your bank.

Why haven’t the NHS set up an out-of-band authentication system, and where a contact tracer could give a special code over the phone, and then the person being traced could enter this one-time code into a trusted NHS page, and then for it to be validated? It is a fairly standard method, that we use with so many systems.

“So can you go to track.nhs.uk, and enter the code of “546512” and I will tell you the result. Have you done it?

Yes.

The code is “8814”.

Is that right?

Yes.

Now, at any time you can ask me for another code, and we can check this again. Everytime I call, we will do the same …”

Want to know how the scammers work? … here is one …

Conclusions

One thing that is apparent from the current situation, is that we need to be smarter in using data, and have trusted digital ways to contact people at risk. For just now, we are using one of the most untrustworthy devices around … the old analogue phone.

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store