Have Contact Tracing Scam Opportunities Been Easily Enabled?

The dilemmas around contact tracing have mostly been about the security and future use of the personal data collected, with privacy advocates and academics citing their concerns.

However, earlier this week announcements were made about how communications will be carried out regarding contact tracing, as members of the public will soon start receiving text messages and emails from the NHS Test and Trace Service. UK Health Secretary Matt Hancock said that if you are contacted by NHS Test and Trace and it instructs you to isolate, “you must” and “it is your civic duty, so you avoid unknowingly spreading the virus, and you help to break the chain of transmission.”

However, this does raise the question of how a member of the public can verify that a text message is genuine, and not one that is getting you to give up your details or download some sort of virus. In particular, the text message (or email) will be sent by someone working for the NHS Test and Trace Service and will ask receivers to confirm or provide their: full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address, and COVID-19 symptoms.

These are all details that your average scammer would work hard to obtain, and in this case, they could collect very easily. Researcher Steve Lord pointed out a number of ideas and ways that an attacker could utilize this new concept, so Infosecurity talked to Lord and a group of researchers and social engineers to collect their thoughts on this issue.

As Lord detailed the multiple ways that a scammer could utilize the contact tracing situation to gain money, we asked if this is likely to happen, or if user should actually be more concerned about the secure rollout/storage of the data? Lord said: “normal scams rely on authority, greed and urgency” and these have to be built up in the victim to push them to comply.

“In this case, authority is provided by the contact tracing facility which apparently has the power to compel people to stay indoors,” he argued.

“Normal scams rely on authority, greed and urgency”

Likewise, Jenny Radcliffe said the truth is, this could be used in any number of ways. She said: “The possibilities for abuse are so broad that it’s hard to say which is the bigger threat, but I would be looking at immediate financial and identity theft, accessing of personal information and data and a domino effect in terms of ransomware and general extortion in the short- to medium-term, with more long reaching implications for privacy and even democracy as longer-term potential threats.”

Pete Herzog said running scams against an unsuspecting population “has never been more organized nor more opportunistic,” and the “number of criminals who can attempt low tech fraud is huge and greatly outnumbers the number of skilled attackers who can defeat security systems.” He explained that abuses of the Track and Trace system is clearly going to be the UK's biggest problem.

We’ve seen reports of increased phishing, so did the group feel this was a new type of phishing message vector? Lord said it’s a “new flavor of the same type of scam, intensified by the muddy and often conflicting nature of the official COVID-19 response.” He said what is new here is that this is something that affects everyone, so that appearance of authority combined with real urgency really makes it a juicy area for scammers.

“The government’s commitment to providing inconsistent and conflicting information is only a good thing for phishermen, if sadly not for the rest of us,” he said.

“The government’s commitment to providing inconsistent and conflicting information is only a good thing for phishermen”

All About Trust and Confidence?

So is the whole contact tracing effort based purely on a combination of trust that people know what to do and act accordingly, and a presumption from the government that they think they are doing this correctly? Herzog said that security has a paradox where the more controls you add, the greater the attack surface because each control added can also be attacked. “This is a case of a broad control which is unnecessary and itself insecure that will be abused to attack the public,” he said.

Herzog claimed that the government doesn't need everyone to do this, they just need about 80% of the population to comply, and that appears to be about the number of people who are currently following social distancing and quarantine rules anyway, which is why the number of deaths is not worse.

Lord agreed, saying the real issue is that complex public health and cybersecurity issues are being set aside, ignored or swept under the carpet because the government desperately wants a good headline. “The government so far is treating everything as a PR crisis, not a health crisis.”

"The government needs to desperately rebuild public confidence if it wants people to install apps"

Doing it Differently

What could have been done more efficiently and securely? Lord said a large part of this is down to public confidence, and “the government needs to desperately rebuild public confidence if it wants people to install apps.”

Radcliffe said technical solutions apart, more information about scams generally would be useful “and in particular about how people are distorting the message and approaching victims using the crisis would help” as public information campaigns can be used, as well as having an easy way of reporting suspicious behavior.

Herzog recommended two steps: not choosing a control that requires public trust in a system that's already lost their trust, and if you need to do it, then it needs to be done correctly with random numbers assigned to people, hashed identities for storage, increased use of AI to keep people's eyes out of it, and little to no intrusion into the public.

He added: “In security, we know that if you want safety, you do it at the server, not in trusting the client. Same here. Don't rely on the trust of the people or else someone else will abuse that trust.”

James Tusini, CEO of Matta Consulting, said the obvious ways to increase overall security would be two-fold: user education, and trust in the government handling citizens’ data securely and ethically.

“Citizens in the UK have long opposed centralized ID schemes, but this hasn’t prevented the government coming up with even more draconian systems, such as the UK’s  Investigatory Powers Act or the CCTV facial recognition system, which I’m not sure are any better in the long run,” he said.

“In an ideal world, there would a be a trusted party, that has the citizens’ interest at heart, that would run a centralized authentication database. This would most likely be the government but until we can resolve the main issues of trust, this is never going to happen and we’re going to have to resort to a non-uniform, non-standard approach to attempt to address the issue.”

As part of the research, Infosecurity also spoke to Anti-Social Engineer Richard De Vere, who pointed out this week that by changing one hyphen to a dot in the URL, the user would be pointed to a scam website. In this case, he has now purchased the domain. He said he would be surprised if 5% of the population would spot that change, and his own family had not spotted the change in a draft of his research.

De Vere said it was frustrating, as the NCSC’s own guidance explains how a phone number can be spoofed and how rogue SMS messages can be sent from that number.

De Vere said the Public Health England service was set up for Ebola contact tracing, so this could have been repurposed. “If they got people from NCSC to do that and give them £200,000 to improve public health England, they could have done it that way.”

Ultimately, the deployment of contact tracing has not been without a few bumps in the road, but whilst we are concerned about data security, the scam and phishing potential is very real.

What’s Hot on Infosecurity Magazine?