A robber snatched a cash box from a security guard delivering money to a Tesco Express store in the city this morning. The robbery took place at the Humberstone Lane store at around 8.15am as the Loomis van arrived with cash which, it s understood, was to top up the store s cash machine. The robber, who was wearing a mask, ran off into a nearby industrial estate, according to a witness.
The guard was unhurt during the incident.
Follow the latest updates from the scene below.
The Tesco Express store in Humberstone Lane where the robbery took place (Image: Will Johnston)
Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.
POLICE are remaining tight lipped over security arrangements for a high profile inquest into the sudden and suspicious death of a Barrow baby. The inquiry to establish how 13-month-old tot Poppi Worthington died is finally set to be heard from November 27 following a string of postponements and delays. But Cumbria Constabulary will not disclose whether they are set to provide extra protection for Poppi’s father; Paul Worthington – the man said by a High Court judge to have seriously sexually assaulted the youngster in the moments before her collapse.
Lawyers for the 49-year-old – a former Tesco supermarket worker – have claimed he now receives death threats on a ‘daily basis’. They had requested he be allowed to give evidence via videolink in a bid to ensure his safety. But the constabulary has refused to confirm whether the location has been inspected by officers ahead of the inquest – or whether Mr Worthington will be afforded additional security during the proceedings.
In response to a request submitted under the Freedom of Information Act, the force has stated it can neither ‘confirm or deny that it holds the information’ sought. Additionally, the Legal Aid Agency has confirmed the final amount set to be awarded to Mr Worthington is still not decided with less than a month to go before the inquest begins. The money will be used to pay for a high ranking barrister, expected to be Leslie Thomas QC, and a legal team.
Mr Worthington’s application for funding was turned down three times between 2015 and 2017 before eventually being granted under an ‘exceptional circumstances’ appeal. But a spokesman for the Legal Aid Agency, which refused to divulge the reason for each of the refusals, said: “I can confirm that legal aid has been granted for the representation of Paul Worthington at the upcoming inquest you refer to.
“However, the matter is still pending and so no costs have as yet been billed under this certificate.”
Tragic Poppi was found collapsed overnight at her Barrow home in December 2012 by Mr Worthington . She died soon after. No official cause of death has ever been recorded.
Well documented failings in the way the case was investigated by Cumbria police meant vital evidence was not secured, no formal interviews took place for ten months and no-one has ever been formally charged. Cumbria County Council, which failed to adequately protect Poppi’s siblings, then sought a High Court injunction to keep the whole matter secret for more than two decades. However the injunction was later overturned by a group of media organisations including CN Group.
In January 2016, Mr Justice Jackson concluded on balance of probability the youngster had been seriously sexually assaulted by Mr Worthington before her death. Mr Worthington has always denied any wrongdoing in relation to his daughter. The inquest is expected to last three weeks and will be heard by chief coroner for Cumbria, David Roberts.
It follows an ‘irregular’ first inquest in 2014 which lasted just seven minutes, heard no evidence and was eventually quashed by the High Court. Since then, a fresh inquiry into Poppi’s death has been cancelled at the last minute on two further occasions. The first was postponed to allow the little girl’s mother to seek a review of evidence held on the case by the Crown Prosecution Service.
A later hearing was delayed by Mr Worthington after he was granted legal aid just days before the complicated process was due to start.
:: Poppi was a 13-month old baby who lived in Barrow with her parents and siblings.
:: In December 2013, she was found collapsed at home by her father Paul and taken to Furness General Hospital by ambulance . She was pronounced dead shortly afterwards.
:: A Home Office pathologist reported Poppi had sustained internal injuries before she died consistent with sexual abuse . However a formal cause of death has not been ascertained.
:: A High Court judge ruled that on balance of probability, Mr Worthington had sexually assaulted his daughter in the moments before her collapse.
:: Mr Worthington denies any wrongdoing.
:: An inquest is a legal hearing that establishes basic facts about an unexpected death.
:: These include who the person was, where they died and how they died.
:: The circumstances leading to the death are also uncovered.
:: It is presided over by a coroner.
:: A High Court judge ruled Mr Worthington had attacked his daughter before she died on balance of probability – the threshold required in civil court cases.
:: But Police failings in the case mean the case cannot be tested in the criminal courts.
:: Cumbria County Council bosses later tried to keep the case secret with a High Court super-injunction.
:: This will be the second inquest for Poppi . In a highly unusual move, the first hearing, held at Barrow Town Hall in 2014, was overturned after it was deemed ‘irregular’.