Weekly review 40

12.10.2021 - Last week, the number of reports received remained moderate. The data leak from a hacked video streaming portal showed once again how quickly sensitive data can be made freely accessible on the internet. The second case is an example of how easy it is for fraudsters to obtain money using payment services.

Video streaming portal as an example of data theft on the internet

twitch.tv is one of the largest streaming platforms for video games. In addition to the live video streams, there is also a community with lively discussions. Last week, it became known that hackers had penetrated the systems of twitch.tv and stolen, among other things, the personal data of the users and the community's entire communication history since the launch of the portal. Users were advised to at least change their passwords. They were also asked to enable two-factor authentication. This requires a code sent as a text message or email to be entered in addition to the user name and password.

Information from twitch.tv on the security incident
Information from twitch.tv on the security incident

However, this does not change the fact that the users' data is now freely accessible to all on the darknet. This means that all comments ever made on the platform – even those that were only accessible to a small circle on the platform itself – can now be read by anyone. As soon as a person can be identified, a profile can be created using the released information. It is then possible to see what he or she shared and with whom – potentially even confidential matters. One twitch user contacted the NCSC and asked if his data could somehow be deleted. Unfortunately, this is practically impossible.

This incident is not an isolated phenomenon; many hundreds of such data leaks have already been made public and there is a possibility that your own data will also be affected by a similar data theft sooner or later. And every time you register for something on the internet, the likelihood of this happening increases a little.

  • Assume that information marked as private can also become public in the event of data theft. Think beforehand about what this could mean for you.
  • Use a pseudonym on the internet and a separate email address wherever possible.
  • Use a separate password for each service and two-factor authentication wherever possible.
  • Do not allow internet services to store your credit card details.
  • Do not pay money to people who claim to be able to delete your published data.

Telephone scammers use devious methods

Scammers can be some of the most innovative people around. As soon as a new technology or service is launched, it usually does not take long before elaborate stories are invented to trick someone.

The use of payment services offered by telephone companies has been common for several years. They allow certain services and products to be bought online and charged to the customer's telephone bill. This method of payment can be used to make purchases in various online shops. In order to ensure that a purchase is accessible only to authorised parties, a separately created PIN code has to be used each time – in the case of payment via a telephone company, this is sent to the buyer in a text message. For fraudsters, such purchase options are helpful, as they can be exploited digitally and anonymously. The following case, which was reported to the NCSC last week, illustrated this:

The victim received a phone call via WhatsApp, apparently from their phone provider. The caller explained that he was phoning to verify a discrepancy on a phone bill. A four-digit number was to be sent immediately and read out as confirmation. In actual fact, this number was the PIN code needed to make a purchase in an online shop. After the victim had read out the code, the fraudsters were able to make purchases via the online store in question. Since the person concerned noticed this relatively quickly, he was able to stop the payment service – but some gift cards had already been purchased.

Some of the gift cards available
Some of the gift cards available

The fraudsters had directly used the information available online about the defrauded person – which apparently included their phone provider – to invent what the targeted individual found to be a believable story.

  • Always be sceptical if someone calls you or sends you a message demanding something from you.
  • Never allow yourself to be put under pressure.
  • As soon as you notice such a scam, inform the operators of the online store and your telephone provider. Report the matter to the police.
  • Deactivate such services whenever you are not using them.

Last modification 12.10.2021

Top of page