25 June 2017
visit http://events.sap.com/gb/fsi-forum-2017/en/home

SOFE Berlin: Social media and IoT providing a goldmine for hackers

24 November 2016  |  14598 views  |  0 programming code hipster

White hat hackers at Sophos gained access to administrative rights at a New York bank using a social engineering technique that leaned on the creation of a bogus profile on LinkedIn.

James Lyne, global head of social security research at Sophos, explained the exploit at an engaging keynote speech to an audience of bankers at Swift's European operations forum in Berlin.

Lyne spends his time conducting penetration tests of business computer systems to look for loopholes in IT security.

For the exploit at the un-named New York bank, Lyne set up a bogus profile of a 'hot' Canadian woman on LinkedIn and invited some of the bank's staff to connect. Once a few links had been established the profile was changed to that of a fake low-level IT operative at the bank. With a number of friends at the bank already in the bag, the updated profile was then used to garner more links with other staffers - which ultimately enabled the hackers to open a legitimate point of access to the bank's domain.
A self-professed "massive geek", Lyne proceeded to take an enrapt crowd on a whirlwind tour of the Dark Web, pulling up the Alpha Bay Website which operates as "a kind of Comparethemarket.com for cyber crime fraud sites". The illicit marketplace for the acquisition of stolen payment card details offers a very responsive user support operation, says Lyne, and seller feedback tools similar to those used on eBay.

With 350,000 new pieces of malware being released every day, Lyne also lamented the low level of security deployed for devices connected to the Internet of Things. During his presentation, Lyne conducted an on-stage hack of an IP-connected camera similar to that used in the recent Mirai botnet that manged to bring down Twitter and other US Websites in a distributed denial of service attack on domain name service Dyne.

Describing "hilarious flaws" in devices, Lyne says that of tests conducted on multiple IoT gadgets, only three followed common security protocols such as implementing password lock out features. The Internet connected camera, for instance, used a Telnet clear text protocol for communications, which Lyne dismissed as "basically a piece of shit from the dark ages".

In conclusion, Lyne told his audience that the most common breaches take advantage of basic operational failings. "Failure to update security awareness training is key," he says. "The human hack department is the most common entry point.

"We also find incident response is often ill practiced and ill-thought out. So much can be thwarted from implementing basic security practices."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

When banking meets the Internet of Things

When banking meets the Internet of Things

15 August 2016  |  33403 views  |  8 comments | 83 tweets | 66 linkedin
Young Brits warned of social media threat as ID fraud soars

Young Brits warned of social media threat as ID fraud soars

07 July 2016  |  7130 views  |  1 comments | 16 tweets | 17 linkedin
Visa gets ready for the Internet of Things

Visa gets ready for the Internet of Things

22 February 2016  |  19632 views  |  0 comments | 31 tweets | 22 linkedin
Cybercrime-as-a-service economy driving bank and retailer data breaches

Cybercrime-as-a-service economy driving bank and retailer data breaches

19 October 2015  |  7238 views  |  0 comments | 27 tweets | 16 linkedin
FS firms told to prepare for avalanche of IoT data

FS firms told to prepare for avalanche of IoT data

16 October 2015  |  15486 views  |  0 comments | 31 tweets | 29 linkedin

Related blogs

Create a blog about this story (membership required)
visit vasco.com/news/PSD2-compliant-solutionsvisit www.response.ncr.comdownload the report now

Top topics

Most viewed Most shared
Live: EBAday 2017, day twoLive: EBAday 2017, day two
9974 views comments | 4 tweets | 5 linkedin
Worldpay pilots app-only mPOS for small retailersWorldpay pilots app-only mPOS for small re...
9398 views comments | 20 tweets | 27 linkedin
Live: EBAday 2017, day oneLive: EBAday 2017, day one
9098 views comments | 3 tweets | 4 linkedin
UK banks will need to change one million sort codes under ring-fencing rulesUK banks will need to change one million s...
8461 views comments | 8 tweets | 25 linkedin
What Banks and their customers can expect for the futureWhat Banks and their customers can expect...
7670 views comments | 7 tweets | 10 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job