TheWall: Consumer Awareness: Be vigilant online, says ethical hacker

This article first appeared in Personal Wealth, The Edge Malaysia Weekly, on December 17, 2018 - December 23, 2018.
-A +A

Cyberthreats have been making the headlines. Just last month, it was reported that up to 500 million customers’ details were lost due to a hack on hotel group Marriott International.

In the same month, news reports quoted sources as saying that there had been a ransomware attack on Media Prima Bhd’s computer systems and that hackers had demanded RM26 million in bitcoin. And in July, a cyberattack on

SingHealth — Singapore’s largest group of healthcare institutions — even compromised the personal information of the country’s prime minister.

According to a February PwC report, financial services firms are reportedly 300 times more frequently hit by security incidents than those in other industries and represented 8.5% of the data breaches last year. This is due to the tremendous value of the information available in these institutions.

While it may be hard to stop a cyberattack, individuals can take some steps to protect themselves online, says Zoë Rose, an ethical hacker and consultant at Baringa Partners. “What they can do is maintain their awareness of what their banks are doing and listen to the media. There have been so many breaches out there and a lot of journalists are quite good at reporting them. When cybersecurity researchers see something, they call out the organisations. If consumers are listening to the media, they will likely hear about it.”

Rose was speaking at the recent SCxSC Fintech Conference 2018 organised by the Securities Commission Malaysia.

Nowadays, many cyber attacks are done through phishing, which entice users to click on corrupted links or attachments that were sent to them, which could give hackers access to their computers. If the attack is targeted at a particular user, the hacker often gleans information on the individual through social media and uses it to craft the message.

“[For example] My LinkedIn is a gold mine of information. It shows where I work, live and went to school as well as what causes I am interested in. All this information can be used in a phishing email. With that kind of content, I would be more likely to click on a link,” says Rose.

This approach is called social engineering. “Social engineering calls are traditionally what people try to protect against. With email and open banking, there are now more links in your text messages and malicious apps that are potentially collecting data and sending the information [elsewhere]. So, you have to be mindful of keeping your apps up to date and using only trusted sources,” she says.

 

Do not simply give out your email address

Many of us give our email addresses to win promotions or sign up for free online services, thinking that this is safer than other types of personal information such as phone numbers. But Rose says simply giving out your email address can be dangerous because it gives hackers a method of entry.

“Email addresses are really valuable because the resetting of passwords and verifications of multiple accounts are done via email. I had a client whose Facebook account was compromised through email. The hackers, who were actually a terrorist group, reset the password and took over the account. As social media companies are making it harder [for such people to] create malicious and anonymous accounts, these groups will use existing accounts to change everything,” she says.

The terrorist group hacked the account to spread its propaganda and there was no way to access it as it had changed the password. In the end, Rose and her team succeeded in taking down the account by reporting the incident to Facebook.

“The consideration was not that her account was taken, but it was that her account contained information on where she lived, who her family was and her schedules. It was taken over by a terrorist group and that was what bothered her. Many people say they have nothing to hide or have nothing of value, but the reality is that you do, just because you exist,” says Rose.

Those who give out email addresses indiscriminately could find themselves a victim of phishing attacks. Most malicious hackers are financially motivated, Rose points out, which means they will target users whose information is easily obtainable. All hackers need is an email address to which they can send phishing messages.

“An example is ransomware. They will get your email and they won’t even need your credentials. They will just send you an email with malicious links or documents to get the ransomware into your computer,” says Rose.

Ransomware works by locking the data in the computer until the user pays the amount demanded by the hacker. These malicious links can look innocent, but hackers have been known to modify links to trick users. For instance, they can replace an “l” with an “I”, which appear similar, or misspell something in the link.

One way for consumers to closely inspect the spelling of a website address is to copy and paste it into a text document such as Microsoft Word. “If you just clicked on the link, you would not have noticed it. So, there are some things you can do to check,” says Rose.

Receiving email with spelling errors or from strangers is another red flag. One can verify with their bank if the email allegedly sent by the financial institution looks suspicious, says Rose.

While some may say their email has nothing valuable, hackers often use an individual’s email as a gateway into a company’s computer system. Employees who have high-level access to internal systems could be targeted by hackers for that purpose.

For instance, a 2013 hack on US-based retail giant Target resulted in a breach of 40 million customers’ credit card data. The attack was carried out through the computer of an external contractor.

“The third party had more access than it needed and its local computer was compromised, which gave the hackers access to Target’s customer information. Organisations often say they have nothing of value, but maybe they are another way in,” says Rose.

“For example, Baringa works with big organisations. So, if hackers wanted to target these organisations, they would look at how they could target these companies through my firm.

“I have the responsibility to keep my environment secure. I am mindful of that and try my hardest. However, some people I am connecting with probably are not as mindful or make mistakes. So, you have to add layers of security.”

A similar situation occurred in a Ukraine power grid cyberattack in 2015, when a phishing email was sent to employees who had access to the industrial control system. “They inserted custom malware that targeted the industrial control systems. The way they got to the system was when someone clicked on a phishing email on a computer that not only had internet access but also access to the industrial control system. Looking back, there could have been a separation [of computers with access to the internet and those with access to the industrial control system],” says Rose.

 

Take charge of your own safety

It is important to read the reviews of a bank or financial institution before using its services, says Rose. “If all they say is we have ‘bank-level security’, consumers should question what that means.”

Some financial institutions run campaigns to educate their clients on how to protect themselves in cyberspace, which is a good sign, she says. Others just have basic descriptions of how they secure client data.

Meanwhile, multi-factor authentication should be made available for these accounts. “If your bank accounts have been breached and your passwords are lost, or they said the passwords were encrypted but this wasn’t actually so, the hackers would not be able to log in because they do not have the second factor to do so,” says Rose.

In addition, financial institutions’ websites — not just their login page — should have https as part of their web address. These institutions should also be forthcoming about cyber incidents that involve them.

“Are they transparent? If there is an outage, do they tell you about it? If they do not, what they are hiding could be a red flag. It could be a cyber incident, but do they explain what happened?” says Rose.

For example, UK-based digital bank Monzo investigated fraudulent transactions among its customers in April and suspected that there had been a breach at ticket sales and booking company Ticketmaster. It immediately blocked those transactions, replaced the cards and notified Ticketmaster about the breach, according to the bank. Ticketmaster only admitted in June that there had been a breach of its systems through a subcontractor who operated the chatbot on its website.

“In my mind, that is a sign saying they need to pay attention. That is an indication that the bank actively cares [about protecting its customers] and is transparent,” says Rose.

Creating strong passwords is another key step. Instead of regularly changing passwords, it is more secure for individuals to create long ones, says Rose. This makes it harder for hackers to guess one’s passwords. There are also password managers available in the market to help individuals store their passwords.

For others, writing down the passwords physically may be a better solution. “My friend, who is older, really struggles with computers as she is not tech-savvy. She has a book in which she writes the passwords. In this case, those who pose a threat to her are not nation states or targeted attacks, but people who are opportunistic. So for her, the more secure thing is to write down the passwords because they can be longer. And store the book somewhere safe,” says Rose.

 

Reducing online exposure

Some of the easiest things individuals can do to prevent cyberattacks is to limit the kind of data they provide online, regularly update their apps and be mindful of what links they click on. They should also delete apps and accounts they no longer use.

“If you tag photos of everywhere you go, maybe tag them only after you have left the location. Also, phones have functions that allow you to pixelate certain parts of a picture. If you take a photo of your car, remove your licence plate,” says Rose.

“A lot of people take photos of their child on the first day of school. That is alright. But if they are in uniform, consider not showing the insignia. If you are taking a photo of your house, take one of the inside instead of in front of the house.”

When downloading apps, one should read the reviews and research the developer. Some app stores have less stringent requirements for developers to submit products, so users should be cognisant of the developer’s track record, says Rose.

If an individual has Internet of Things (IoT) devices connected to the home WiFi, he should consider not sharing it with visitors. “If you have a guest come over, does he need your WiFi? Probably not. If he does, does he need the WiFi that has access to your IoT or local devices? He can have the guest network and you the home network, so you do not have to rely on them being secure or have the apps updated,” says Rose.

There are also apps or devices that enable multi-factor authentication. For instance, the YubiKey is a physical device that can be inserted into USB ports or tapped on NFC-enabled Android phones to complete the authentication process.

“Like my social media accounts, I have a password login and a physical item that I have to plug in, press and add a code to let me log in. I also have apps such as Google Authenticator. It is free and works with most services. You can just log in and it asks you for a code, which is in the app,” says Rose.