More and more Israelis have over the past year been the target of phishing attacks, a hacking technique designed to trick unwitting users into giving away sensitive information, thus allowing attackers to gain access to their accounts without needing to hack them or even crack their passwords.
The goal of phishing attacks are usually fraud or identity theft and they allow the attackers to login to their victim’s accounts or gain access to sensitive information like their credit card number. Though phishing is a clear cut form of criminal behaviour, few people turn to the police in the case they have been the victim of such an attack. Even experts and researchers tracking such criminal operations will rarely go to the police with their findings.
According to data from 2017, only 9 percent of victims of cyber crimes in Israel report them to the police. The police noticed this statistic and this week launched their first campaign urging the public to turn to them regarding incidents of online fraud and theft.
The goal is a worthy one. However, the campaign suffers from a fatal flaw. After the issue was flagged by Haaretz and others online, the police addressed it. However, it still offers a good lesson in how not to prevent phishing attacks, as well as a possible explanation as to why Israelis are exposed to such issues due to state negligence.
So what’s the problem with the police’s campaign?
At the center of the campaign was an email and a hotline the police provided for the public in an attempt to streamline the ability to lodge complaints and report cyber crimes.
- Israeli state-owned website sends personal info to private server
- Why the IDF told Israelis near Gaza to turn off their webcams
- The secret app Israeli soldiers use poses a serious risk
The email itself is not an official email situated on a state server, but rather a Gmail account. Thus less than an answer to the problem of phishing, the email provides a good example of how phishing attempts actually look.
The initial email - firstname.lastname@example.org - was changed to an official email account - email@example.com - after the issue was flagged. However, it is worth noting that most phishing attempts use emails accounts that seem to be official but are actually bogus attempts to dupe victims into providing their personal details.
That’s why it’s so important to make sure all emails you receive from official state bodies actually make use of an official domain. Gmail, for all its benefits, is privately owned, unlike the police.gov.il domain which is a secure state server which can be trusted.
The use of an official .gov domain is important because it prevents fake accounts. Anyone can open an account on Gmail with the word “police” or “fraud“ in it, but no one except an official police representative can open an account on the police.gov.il domain.
Using an official server also prevents or at least substantially lowers the odds of someone hacking into the official account, which is as secure as the one used by the Prime Minister’s Office or even the Israel Defense Force.
The use of an official email also has other benefits - for example, if someone misspells the email address by mistake, their details and the content of the email will not fall into the wrong hands as many times email accounts with common typos are use to try to collect information erronsily sent to wrong addresses.
Other issues were also found with the police’s initiative: As Yevgeny Zrovinsky pointed out on Twitter, by providing both an email and a phone number for a hotline, the police exposed themselves, too. The phone number is linked directly to the Gmail account and can thus be easily used to lock the police out of their own insecure account.
When someone forgets their password Gmail allows them to reset it by providing the correct phone number to which a recovery password can be sent. With the help of the email and phone number any one can now request the password be reset. Reset it enough times and the account will be suspended and its owner - the police - will be locked out.
It is worth noting that this is at no fault of Google or Gmail. Google also provides organizations with the ability to use the Gmail interface on their official servers, so if the officers behind the initiative are adamant about using Gmail they can still do so with their new official email.
It is tempting to shrug off these issues as minor errors. However, they are indicative of the work culture of the Israeli police in the digital arena. It seems the body in charge of defending against cyber crimes prefers to open an unsecure an easily exploitable Gmail and does not have any real standards for information security.
The wider problem is not this incident or even the police, but rather the wider culture that exists in many public and state bodies in Israel. Guy Zomer, who works for a digital watchdog called the Tamnun, explains that “the use by official bodies of privately owned email services like Gmail or Yahoo is very common - there are hundreds of such accounts,” he says.
“These accounts are inherently exposed and compromised and they indicate the total lack of awareness of the risks that exist online. This is sensitive information that belongs to citizens that is being placed on third-party servers that are not regulated and there is no oversight on the workers using these accounts. It also provides fertile ground for more cases of digital fraud.”