Let's Be Careful Out There!

Earlier this month Tesco's Bank in the UK had a cyber attack resulting in unauthorised access to 40,000 accounts with money missing from 20,000. The bank said that this was as a result of a "systematic and sophisticated attack". I'm not exactly sure what that means? Had they only planned defence mechanisms for an unsophisticated attack? What do other banks defend from? If it can happen in the UK, is it a fair assumption that it can happen anywhere?

Tesco's themselves don't appear to have commented thus far as to what exactly happened but reports indicate that it was an attack from Dark web hackers. The Dark web is where most of us don't venture, it's accessible via specific browsers using a set-up that increases the probability that the user remains anonymous. Consequently it's used by people who do things that they don't want anyone else knowing about. This can be a good thing if you want to blow the whistle on a naughty car manufacturer telling fibs about emissions but it can also help hide bad people doing bad things.

According to research from Kings College London, Hackers make up only 1.8% of the Dark web as of February 2016. This is down from 4.25% in 2015 but that doesn't help Tesco. Users were boasting about stealing money from the bank at least a few months before the bank owned up, or even worse, found out. This is reminiscent of the LinkedIn hack of 165 million accounts in 2012 only reported in 2016 and the Yahoo hack of 500 million accounts in 2014 only reported in 2016. Tesco have agreed to return any money stolen, this usually means that the customer has to trawl through all their transactions and try and find them.

Here in Australia amendments to the Privacy Act means that all companies with a turnover of more than $3m must take 'reasonable' action to protect personal information. In the Tesco example they might comply as they can argue that they did have systems in place to protect consumers, it just didn't work. Hence the proposed Data Breach Notification Bill (not yet passed) which could mean that if a data breach occurs the company must notify the customer and the privacy commissioner who can publicise the breach. This must all happen within a proposed 72 hours which sounds reasonable to me.

So while Tesco decline to comment or talk about this, it is left for everyone else to ponder on what might have happened. The Sunday Times in the UK claimed that the hackers used data stolen from Tesco to set up contactless payment accounts and then use their smartphones to access the money via low amount transactions. Of course the lower the amount the less chance it will be spotted and if your bank hasn't told you that your account has been hacked this could go on for a while!

The Israeli cybersecurity company Cyberint found discussions on the Dark web about using 'brute forced' hacking to access Tesco customers. That is creating thousands of passwords per login until one works. The lesson there is to use a password manager or remember a unique random password for everyone of your accounts! The scary thing again is that these discussions go back to September and this only went public in November. One Dark web user claimed that they were taking $1000 a week without being noticed.

Europol (Europe's Interpol) reported a few months ago that software was available on the Dark web to allow stolen personal information to be loaded onto Android smartphones with NFC (near field communications - touchless payments) to enable fraudulent transactions. iPhone's prevent third party apps accessing its NFC chip so at least for now Apple fans are a little safer.

Tesco is not alone, even back in 2013 Europol estimated global cyber fraud at $3 Trillion! Larger than the global drug trade. The US is, not surprisingly, the number 1 target, followed by the UK then Australia. All three countries have a very high online credit card usage rate. In June 2015 the US government lost the personal data of 22 million federal employees. In February 2015 America's second largest health insurer lost 80 million customer's data including social security numbers, data of birth, addresses and employment details. In September 2014 Home Depot lost 56 million credit card numbers via malware installed on cash registers. In May 2014 eBay lost 145 million customer records. In 2013 Target lost 40 million credit card numbers via point-of-sale terminal malware. And so the list goes on… all this data ends up for sale on he Dark web.

In addition to an all out cyber attack there are other common methods also employed by the fraudsters. One that we would have all had is the 'phishing’ emails. I had one only this morning pretending to be from AusPost telling me that if I didn't click on a link I would be charged money for storing an undelivered item. You'd hope that everyone would know about that method by now so it's becoming more sophisticated with 'spear phishing’. This is when an individual is specifically targeted based on information gleaned from social networking site. Then there's 'water hole' attacks when the hacker finds out what the targets interests are and infects the environment, placing traps on commonly accessed website the appear to have similar interest, like an electronic ‘honey trap'. I'm sure the list is not exhaustive. 

Whilst I suspect (and hope) that the tier 1 Australian banks are far better protected than Tesco, an attack is always theoretically possible. It can happen anywhere. There are two elements of responsibility here; firstly the organisation that has our details needs to ensure that information is safe and if they fail we must be informed immediately and compensated for losses. Secondly we need to take responsibility for ourselves, ensuring we don't click on that link in that email from AusPost or reply to that long lost Nigerian cousin who wants to hand over $10 million or even giving our credit card details to an organisation that is not PCIDSS (Payment Card Industry Data Security Standard) compliant.

Ultimately I think the solution will include biometric identification. Voice biometrics has come a long way, as has facial recognition. Combining multiple sources of biometric data could create a personal 'print' that might act as a solid defence. There is also research currently being done to create unique personal identifiers when the customer is not actually present in the shop and the capability of cognitive technologies to proactively predict and reactively create a probability map on whether a transaction might be questionable. There is certainly more that we can all do but until then… let’s be careful out there!