All articles tagged as: security

When is withheld, not withheld?

I love Three's new WiFi Calling feature (well, it's an Apple feature, but Three finally decided to support it!) – ultimately it lets me use my phone (most of the time) at home for calls and SMS (think 2FA!) where there is no signal on Three. However, I recently discovered a big issue. With "Show My Caller ID" turned off calls I make are not withheld. That is the called party can see my, supposedly private, Caller ID. The Law Ofcom wrote to all UK CPs a number of years ago reminding them of their responsibilities, part of this eMail included; CPs must respect the privacy rights of consumers…

Read more »

SMS 2FA and the Modern Smartphone

SMS has been around for over 20 years now and yet this basic 160 character instant messaging service is still widely used for marketing, transactional messages and two-factor authentication ("2FA") This was just a random thought when trying to log into something for the third time today that requires an SMS OTP. When I'm staring at a form input box and my phone receives a message at that exact moment the chances are it's to fill that box in, it'd be nice if this was more streamlined! Imagine if, for example, an HTML form could listen for the message.. perhaps with something like the following…

Read more »

iMessage Preview

So, iMessage has a handy new feature - both on iOS and MacOS - where if you send someone a URL it will extract some metadata from this URL and display it as a clickable link; You'll be used to this behaviour if you use Facebook or Slack, as it provides useful meaningful content for a link. However, there's a big difference between their implementation and iMessage. When you use Facebook or Slack, the website you've linked to will see a request from Facebook or Slack's servers. Information Leakage iMessage makes a request from the device itself which reveals some significant information; The ta…

Read more »

Phishing at LLoyds

Today I received a phishing eMail, nothing unusual there... I get loads of them, but this is a little more convincing than most for one reason, it contained my postal address (ok, one from many years ago, but nonetheless it proves that it was a lot more targeted than some) The eMail As usual the grammar and formatting are both terrible, so you'd be unlikely to believe this is from Lloyds bank, but many people do it seems. The usual fake urgency is a bit of a giveaway as well - Please respond within the next hour to avoid a permanent block. - why ? So, let's respond ... The website This is act…

Read more »

Reverse Lookup ("CNAM") in the UK

For many years the USA has had a 'CNAM' service (or Caller ID Name), allowing telecoms operators to show the name of the caller rather than a number. There are obvious advantages to this, having "BT" show when they phone rather than 0800 800 150 would be much more useful, but is also open to abuse. After all, would you trust a call appearing to be from your bank if the name appeared? The method of powering this is known as a Reverse Lookup. OpenCNAM Today I stumbled upon a service called OpenCNAM which claims to offer this across the globe and, surprisingly, matched my mobile number to my na…

Read more »