As it cannot be possible to have escaped everyone’s notice, M&S, Co-op and Harrods have all been subject to cyber attacks over the last few weeks. These well known British institutions have become the latest victims of a rapidly emerging hacker group known as ‘Scattered Spider.’ The group first rose to prominence in 2023 after launching the high profile (and costly) attacks on casino companies MGM Resorts and Caesars Entertainment.. These latest hacks appear to have been very costly for M&S too, with £1 billion having been knocked off their share value and an estimated loss of £15 million of profits per week.
What’s interesting about Scattered Spider is the methods they use to gain initial access to a victim’s systems. Rather than exploiting technical vulnerabilities or deploying sophisitcated malware, they rely on social engineering – manipulating people rather than technology. They simply convince their victims to do things that they shouldn’t, or to follow vulnerable processes that the attackers know how to exploit.
Many of us use our phones to receive one-time codes for logging into accounts, and it is common for IT help desks to send password resets to the phone number they have on file.. Scattered Spider seem to be masters of what is known as a SIM swap attack. This technique involves convincing someone’s mobile provider to transfer their phone number to a new SIM card owned by the attacker. Once accomplished, the attacker receives all calls and messages sent to that number, including any newly changed or one-time passwords.
In the case of MGM, Caesars, and the British retailers, Scattered Spider gained access to staff phone numbers and exploited them by resetting user account passwords. The full details are yet to emerge, but the attacker was likely not asking the help desk engineers who responded to these requests to do anything out of the ordinary. The result, however, was for the attackers to not only have the password to the victim’s user account, but also the means to receive multi-factor authentication codes, giving them initial access to their victim’s systems.
So, what can we do to protect ourselves from these tactics? Firstly, we need to adapt our processes to be resistant to phishing and other forms of social engineering. IT help desks should have a method of authenticating the identity of callers that doesn’t rely on the number they’re calling from or any kind of publicly available information.
Secondly, we should consider moving away from passwords altogether. As a concept, they’ve been used for thousands of years and have never been particularly foolproof or easy to use. We each have dozens, if not hundreds of online accounts that require passwords, and far too few of us practice good password management by using unique passwords for each account, storing them in secure password managers, and fastidious application of multi-factor authentication. Passwords are regularly re-used, stolen, or simply guessed, which can and often does lead to our accounts being compromised.
What’s the alternative? The National Cyber Security Centre (NCSC) has the answer for you – passkeys. These are digital keys to unlock access to your account that are saved on your chosen trusted device. Whenever you want to login to your account the device will only provide the passkey once you’ve proven to it that you really are who you say you are, usually by using your PIN, fingerprint or face to unlock the account. You don’t need to be aware of which passkey works for which account, your device takes care of all that for you. Hey presto! No need to remember or write down more passwords than you have pets or football teams or favourite bands to name them after.
Not only are passkeys easier to use than passwords but they’re much more secure in other ways too. It’s common for attackers to try and trick us into giving away our passwords with fake login pages, which is an approach that simply won’t work with passkeys. Your device will only present the passkey to the genuine domain it is linked with, such as gmail.com. Passkeys also cannot be stolen from the servers of a provider you use as part of a data breach because they are only stored on your device and nowhere else.
The NCSC sees passkeys as the future of authentication. To this end, the new version of Cyber Essentials – ‘Willow’ – which came into effect on the 28th of April, now explicitly accepts passkeys and other passwordless authentication methods as compliant with its requirements. If you want to learn more about moving to this passwordless future, or whether your chosen method of passwordless authentication will comply with Cyber Essentials, then get in touch with Toro and our Cyber Team will lend their expertise.