Camelot has admitted that it does not offer security advice to winners, despite a recent winner’s profile being wide open.
The winner, who did not return emails to IT Security Guru, had won a multi-million pound prize and had appeared in the national press, but his Facebook profile displayed information on his interests, family and occupation.
Speaking to IT Security Guru, Andrew Barratt, managing director, Europe for technology audit and advisory services at Coalfire, said that within seconds it was possible to determine details on his partner, children and wider family who could be an open target for interested crooks.
He said: “There was also sufficient photos of them that a meaningful criminal could have been able to recognise him, and them. He also responded regularly to his friends wishing him birthdays so it was possible to work out date of birth. His address was available from the electoral register as well. “
Barratt said that within about 30 minutes he had the winners full name, date of birth and names of his children, while his partner’s profile was also open and information could be gleaned on his playing and supporting a football team, and which pubs and restaurants he visited via check-ins.
Asked what sort of risk could be posed by this, Barratt said that as the winner is a high net individual there were all sorts of risks to him both online and physically. He said he was able to get all of this information just from assessing information in the press release and comparing it against social media.
Barratt said: “Social network settings can be complicated, but typically they are not that complicated. A simple restriction on Facebook to only allow friends to view profile details would have stopped a casual scammer.
“Whilst I’m sure the winner is looking at their next set of lifestyle changes, Camelot should really be advising on some precautionary measures to avoid them becoming an easy target. This should be done before the cash is in their account and the press releases drafted, it’s just timing really.”
A spokesperson for Camelot, who was not aware of the concept of social engineering until explained by this journalist, said that it does give some advice, but only to winners of hundreds of millons of pounds.
They said: “There is a difference between those who win £1 million and £161 million and there is difference in the advice. So in simple terms, we would advise them on Facebook security settings as each winner is different on what they choose to do with their winnings, and we simply advise them on what do with it.
“We provide access to private banking, and when they win they get what we call ‘the panel’ with a financial advisor, banking expert and a legal advisor and it is up to them if they want to use them. It is a lot of support, with a lot of sensible advice.”
They said that Camelot’s security team will advise those who have won a lot of money on how to be secure, but that is mainly for the media. “Specifically on IT security, it is not something I am aware of,” they said. “We are responsible for helping people and a we have a part to play.”
Asked if Camelot should consider offering security and privacy advice to winners along with financial advice to prevent such attacks being successful, Barratt agreed, saying that while he understood why some winners wanted to remain anonymous, for those that choose to disclose a win Camelot have a hug
e responsibility to help the winner understand potential threats.
He said: “This isn’t necessarily a time to scare them ,but to advise on sensible approaches to online privacy and public information disclosure. Even give them time and advice to set the appropriate settings on Facebook/Twitter/Instagram etc. This is even more important when amounts can be so life changing.
“One other challenge is that someone receiving a large sum of money suddenly has their ‘normality’ changed. There are plenty of examples of public lotto winners being hounded for money – even just by the general public sending begging letters, so why not take precautions against the scammers?
“There is also a risk that if compromised a scammer may take the low and slow approach. The winner is likely to be generating more in interest than they’ve ever earned before ,so may not recognise it if it is small but sizeable amounts of money being taken frequently from their account.”
