Blog article
See all stories »

An article relating to this blog post on Finextra:

Indian processors fingered over $45m ATM heists

The card payment processing firms which saw their systems breached as part of two massive recent ATM heists have been named as India-based ElectraCard Services and EnStage.


See article

The e-Criminal, a serious threat to a safe society

 

…you gotta make the money first. Then when you get the money, you get the power. Then when you get the power, then you get the women.” Powerful words once delivered by Tony Montana (Al Pacino) in the cult movie Scarface. Whilst these words were a reflection of Tony’s views as a successful drug baron, they can easily be paraphrased to fit the biggest new threat to today’s society – the e-Criminal. In the e-Criminal’s world, data is their drug of choice and it can be purchased, sold and stolen just like any other commodity, but this one’s legal. In their world "…you gotta get the data first. Then when you get the data, you get the power. Then when you get the power, you get the money” – what they do with the power and money, whether spending it on fast cars and speedboats or using it to blackmail corporations and governments is really up to them, but the worrying point is the fact that data is the foundation of today’s society and it’s not protected well enough. Oh, and it’s also easily transported, replicated, stolen and destroyed. It’s the e-Criminal’s dream and it’s readily available.

We see real identities (names, addresses, dates of birth) being sold on black-markets en-masse for anything from a few pounds to several hundred, depending on the financial value of the identity. You can also add bolt-ons to this data such as passport numbers, card details or driving licence numbers for a little extra. Other data being routinely targeted includes bank account numbers, corporate secrets, system log-on details, government data, phone numbers, email addresses, and any number other of useful data items. This data is ‘acquired’ using a number of techniques, making the CV of a broadly experienced e-Criminal one to be admired. The sorts of skills these people will have are psychology, computer science, programming, electronic engineering and creative design – note that ‘muscles’, ‘intimidation’ and ‘knowledge of dangerous weapons’ are not present. With a couple of examples, let me explain below how these new skills are being utilised to steal this valuable data:

 

1)      Social Engineering. This could be in the form of phishing emails pertaining to be from ‘your bank’ asking you to provide certain information as your account has been mysteriously blocked, phone calls from ‘your mobile provider’ asking you to confirm details as there have been a number of alleged premium rate calls from your mobile. To successfully pull these off the e-Criminal needs to have good social skills (the emails/calls need to appeal to your human nature, make you feel comfortable in order to lower your defences, and extract the information in an inconspicuous way). Phishing emails also require good graphic design skills to style the email (or target website) in a way that replicates the ‘real’ companies branding exactly so it looks just like the real thing. Oh, and it also helps if you have someone with good technical understanding to be able to spoof the source email domain, or even compromise a legitimate subdomain to send emails from, again all to make this look legitimate to the average punter.

2)      Skimming/Scamming/RemoteRead. In order to pull data off a credit or debit card, you need to understand the media interface, encryption method and message protocol. You’ve also got to be able to create a device reader / front to perform the extraction. This requires a good understanding of electronics, passive devices (NFC) and even a little manufacturing knowledge if you need to create a nice looking front to your scamming device that matches the target machine.

 

There are literally hundreds of other techniques being employed by e-Criminals to gather and utilise this data such as hacking or even virus creation, but the point is this – the skills of real value in today’s criminal society are changing and we need to make sure we skill up our police forces and counter-fraud experts with the very same skills to combat them. The danger is very real and could cause damage of monumental proportions to a society that is slowly becoming a slave to its data.

So, what exactly is the value to the e-Criminal of this data? Well, it’s almost infinite – in a world where you can achieve almost anything without needing to interact in person with the other party, you simply need to present the right credentials (that’s just more data) and you can get what you want whether it’s a holiday, new car, credit card or just cash. So, this makes it possible for a decent e-Criminal to live the life-of-Riley as long as they don’t get too greedy. Unfortunately for us, this often means calls to banks, mobile providers etc to tell them we didn’t decide to buy a Ferrari on a whim last night at 3am, or a 70” plasma from Harvey Nic’s. This can of course become more of a problem if this activity damages our credit profile as it may prevent us obtaining any line of credit in future and in extreme circumstances take us months (sometimes years) of stressful and laborious work to undo the damage. However, there are actually more sinister uses for this data commodity. Imagine if that data included confidential company information, or details of the government’s missile defence strategy? If e-Criminals obtain that kind of data, its use could unbalance the economy and result in company closures, or potentially cause a national crisis.

 

How do we protect ourselves against these threats? It is with absolute certainty that I can say these threats will not disappear, so all of us need to be careful, all of the time. There are a few pointers below that will protect our society from this ubiquitous, highly dangerous and very current threat:

 

1)      Individuals should protect their data like it’s their own child. Do not give out data to anyone, even if it doesn’t seem sensitive or you think you can trust the audience. Bragging on Facebook that you’re at Heathrow about to jet off to the Maldives may seem innocent, but this now lets Bob (the friendly guy you met on a night out last year) know that you’re going to be away from your property for at least a week. Can you really trust every one of your Facebook friends list? Unless you only have 10 friends, the answer is NO, so be careful what you say and to who. It goes without saying that this also applies to any other social media, and providing any data in response to a phone call or email is a definite no-no.

2)      Companies need to ensure that the person they are dealing with isn’t just ‘the right data’, but is actually ‘the right person’. This means analysing the data carefully, profiling it, inferring things from it and, if in doubt, establishing physical contact with the individual. Such systems should not rely on a single approach such as bureau data, or social network analysis, but utilise a hybrid approach that covers everything from reference data, device fingerprinting, biometrics, business rules, predictive models, anomaly modelling, network analysis, and (where possible) text and social media analytics. This is a Big Data challenge, but one that, over the course of the past five years, is now affordable and achievable in a matter of milliseconds or seconds. Such analysis shouldn’t of course just be limited to the operational side, but also extended to empower company analysts to visually discover new and unusual patterns and trends so that these findings may be feed back into the system models.

3)      Physical security needs to be seriously addressed to prevent the threat with the largest potential payload - data leakage. There have been numerous reports recently about government and private sector databases being attacked and penetrated. Investing in the latest security hardware, software and people training is paramount to mounting a holistic and robust defence against the e-Criminal. The anonymity granted by the internet now allows criminals multiple bites at the cherry – if they fail once, they simply try another route. Failing a bank robbery commonly results in arrest; failing a cyber-attack commonly results only in the blacklisting of an IP address range.

 

The time to act is now, whether on a personal basis or acting on behalf of a corporation or government. A review of your activities, security measures and the way in which you view, store, share and analyse data is needed immediately to prevent more than just a trivial theft from happening around the corner.

e-Criminal: a threat to the functioning of a safe society
3737

Comments: (0)