“Some of the phishing emails are so good that I wouldn’t be able to tell them apart from my own,” admits Gerhard Schabhüser, Vice President currently in charge of BSI business. “Unfortunately, the constantly tense security situation in Germany also applies when we look at the situation of consumers,” he said in Berlin. The BSI (Federal Office for Information Security) is not only responsible for the security of the federal authorities. For some years now, his tasks have also included a sub-area of digital consumer protection. The BSI has now presented its annual report together with the Ministry of Consumer Protection; it was also about a planned EU regulation.
Schabhüser reported that phishing attacks were becoming more outrageous. The perpetrators adapted their emails to the current media hype, for example the context of the earthquake in Turkey and northern Syria. Consumers would also be increasingly affected indirectly, for example through attacks on companies and authorities. This affects, among other things, data leakage or the associated restriction of the ability of local government to work, but also the failure of payment service providers or hospital IT. Schabhüser calls on providers and those responsible to comply with their IT security obligations.
Emotions are Achilles heel
“More and more people are exploiting the fact that people act emotionally in uncertain situations,” said Christiane Rohleder (Greens), State Secretary in the Federal Ministry for the Environment and Consumer Protection. Criminals took advantage of fears of war and financial hardship. Fraud around alleged charity is also widespread. As another problem raises the BSI report Fake shops that deliver nothing or only worthless things after payment.
Operators of fake shops are currently taking advantage of people’s needs, especially in the fuel trade, and the police in several federal states have warned of online fraud with firewood and pellets. With particularly low prices and serious-looking page layouts, victims are tempted to choose a supposedly cheap alternative for heating requirements. “The Federal Association of Firewood also had to realize that the perpetrators often used the identities of real, reputable dealers. The Federal Association of Firewood has to avoid fraud a list of its members posted online.
BSI tests IoT devices
Companies have to live up to their responsibilities, said Secretary of State for Consumer Affairs Rohleder, and take security by design and by default into account. to prevent problems and, in the event of damage, to minimize the effects. BSI Vice Gerhard Schabhüser emphasized the development of a DIN specification, which will be published at the end of March and should help micro and small companies with self-assessment and the necessary steps.
Since mid-2021, the BSI has also been tasked with checking consumer products for their IT security and then, if necessary, awarding them an IT security label if manufacturers apply for this. By the end of 2022, the BSI 37 corresponding seals forgive; Initially, the agency focused on popular e-mail offers and home routers. Schabhüser explained that the latter was chosen because “consumer devices with an insecure status” were romping around in the home network and the routers were therefore particularly relevant to the security of consumers. Networked cleaning and gardening tools, among other things, followed later.
The BSI is currently looking in particular at devices from the Internet of Things (IoT). Schabhüser hopes that the IT security label will have a strong advertising effect. However, from his point of view, more is needed: “It is wrong to only rely on voluntariness. We need minimum requirements for market access.”
Rohleder demands lifetime security updates
According to the BSI, the threats are increasing. For Secretary of State Rohleder, the planned EU regulation called the Cyber Resilience Act (CRA) is a milestone when it comes to the IT security of networked products. In these negotiations, the BMUV and the BSI jointly advocated a high level of protection. With the CRA, reporting obligations and proof of minimum requirements would become mandatory, which are currently still voluntary.
According to BSI Vice President Schabhüser, the CRA could still be improved on some points. The German position on the Cyber Resilience Act has not yet been politically agreed. Rohleder would like “security updates to be made available for the entire lifespan of a product and not just for five years.” In addition, products for children and wearables in particular should be given more consideration in the CRA. The coalition agreement also envisages strengthening official enforcement – this could also become a task for the BSI with the CRA. In certain cases, the Federal Network Agency can currently take unsafe devices out of service.
(ds)
