I recently enjoyed presenting a Keynote Talk in Namibia to the Financial Industry about Digital Security and Cybercrime. This subject is so extensive it was impossible to touch on all its aspects during a single session so I promised to post this article.
Coincidently I started to write this article in the safest country in the world for Cybercrime, which is Singapore. The country with the most Cybercriminals is America followed by China. Here is a nice pie chart I found during my research offering a visual overview on the main hot spots for resident cybercriminals.
Cybercrime is the greatest risk to global security because it is the least understood, least prepared for, fastest growing, and, unlike most crimes which operate in a niche sector, cybercrimes affect everyone, every company, every device and every asset. It has the least laws and the least prevention funding.
To try and offer a good summary on this subject and not overload you with too much technical waffle, I have decided to use bullet points and divide this article into sections covering:
Status & Overview.
Things are really bad… and you had no idea!
Types of Cybercrime.
These differ based on local laws and expert opinions. My opinions on categories are:
Harassment and Cyberbullying.
Cyberstalking is unsolicited communication which is personal in nature. Stalking is often referred to as trolling.
At my keynote talk I gave an example using Dirk who was on the Board of Directors at the company that employed me to do the keynote talk. Obviously I cannot share too much information about this person within my article, but I did demonstrate how in just 30 minutes online I could work out his probable age and that he had a helicopter at his 50th birthday party. This I knew was not enough information to impress, so I then went on to share his probable religion, that he enjoyed cycling (while wearing spandex), that he could ride a horse and probably had a skippers licence.
I took the personal information up one more level, and shared his preference of beer and professional camera, what his high school uniform colours were and what type of Visa he had in his passport for May 2011.
To make things really uncomfortable I shared a geolocation pin point on where his daughter worked.
The information I shared was available online already, and if in the hands of a cybercriminal it could be used against him or even his family.
Cyber safety is not only about what information you make public but also where your information is stored. In December 2016 the internet giant Yahoo lost 500 million contacts including email addresses, dates of birth, passwords, phone numbers and security questions. There was a 19 year old from Uruguay who managed to gain remote access to the Google Cloud Platform. For reasons like this search engines are spending a lot of funds on checking their systems for issues. Google has paid security researchers nearly $20 million for bug bounties.
Obscene and Offensive Content Sharing.
Pornography, nasty messages and inappropriate communications. This has in some cases been so bad it has resulted in suicide.
Hackers are also known as “Crackers”. This is an intruder accessing your system without your knowledge or permission.
A popular example of hacking is SQL Injections. This is a technique that plays on the vulnerabilities of software on websites with databases.
An interesting fact: Dennis Ritchie and Ken Thompson, the creators of the UNIX operating system and even Mark Zuckerberg of Facebook all used to be hackers.
This type of fraud can be as simple as using Photoshop to manipulate a company invoice with your own account information and sending it out to clients who then make payments to a personal account. This happened in my own company. It can be more complex of course, and if the criminal can access enough information or resources it can lead to more complex crimes like sales or investment fraud.
Data diddling, or data manipulation, is also a type of digital fraud. It often involves part of a programs code or data being manipulated to change an outcome in the criminal’s interest. This sort of crime is normally done in conjunction with another crime.
Credit Card Fraud.
This is one of the oldest practices around and happens at petrol stations, shopping chains or even online.
Data, Property Theft and Damages.
This is a nice plump category.
Web Jacking. This is when a hacker takes control of a website and often results in a ransom request or publishing of nasty posts on the website.
Identity Theft. This is a very common type of digital crime. Identities are stolen for personal gain or even to resell.
Software Piracy or ‘Cloning’. We think it is a no harm crime and in most cases we are all involved with pirated media or software. Pirated media often contains trojans, viruses, worms and other malware.
Digital Money Laundering. Generally illegal and high value funds need to be laundered before they can be spent. This normally happens through “wire transfers”.
This is malicious software injected into a system with the intent of causing harm to data or even the actual device.
This is the technique of gaining confidential information like credit card names, numbers, usernames and passwords to be used while pretending to be a legitimate organisation. This practice is very common in the banking sector and mostly done via spam emails which direct the victim to a fake website where they offer their personal information.
Often carried out by botnets or people with way too much time on their hands.
Malicious programme attacks:
This is another plump category.
Viruses infect a system and circulate to other computers on a network.
Worms are like viruses, but don’t need a computer host, they just replicate until they use all available memory in the entire system.
Trojan horses. They look like legitimate PC files and are often ‘caught’ with drive-by downloads, which is a fancy name for when you download something by mistake when visiting a website you should not be on. Gaming sites are often big culprits here. They are often used to steal information or hamper or disrupt the function of a system.
Logic Bombs. Also known as slag code. This is malicious code intentionally inserted into software to execute a naughty task. They work mainly on closed networks like internets at companies. They wait in the system and launch on a trigger determined by the developer of the attack. A good example is the famous “Friday the 13th” bomb.
Denial-of-Service attack. This is a big one in banks, and is basically about flooding a computer or network with traffic so it slows it down or even crashes it. Often done with e-mail bombing.
Distributed Denial of Service attacks. Similar to Denial-of-Service, but differs because the attackers are often at a number of geographically spread out locations.
Ransomware. This is when a person or organization has to meet demands by the cyber attacker before they will give the owner access or control of their systems. This is reported to be one of the greatest threats at the moment.
Voice phishing involves phone calls using fake identities to trick you into believing the caller is from a trusted organisation so you feel comfortable enough to offer personal information.
This is when cybercriminals steal little bits at a time to avoid detection or setting off alarms. Most of the time it is manipulation like rounding off a value related to funds to an even number, so a few cents in a decibel factor, but over time they can steal huge amounts of funds. Similar damage can be done with manipulating data around stock inventory.
Eavesdropping & Surveillance.
Any device on the internet, work or home network, and perhaps even unsecure cell phone data connections have the risk of being used to share information about you.
Wiretaps are very popular, but depending on the device, a criminal with the know-how can actually see you, hear you, work out your location, access files and then share them, or even manipulate apps.
Cryptocurrency Theft & Crypto-Jacking.
Cryptocurrency is digital phenomenon which will shape trade and have socio-economic impacts I cannot even begin to imagine yet, and I’m a Future Thinker. Unfortunately Bitcoin is used on the dark web a lot, and this sort of practice has created a lot of negativity for this type of technology. Remember, technology does not commit crime, people commit crime using Tech.
Crypto-Jacking is when a user’s PC is used without their knowledge, and sometimes as much as 80% of the CPU and Ram hacked and put to work to Crypto coin mining. This often happens with adware from gaming sites or pirated content.
Data and data Traffic Theft or abuse.
Data is the new oil or the new gold. Either way, data is extremely valuable and the most important RAW material on the Internet of Things.
Set aside for a minute what the ‘data is about’, it can be a password, or a picture of your child, it does not matter! If the data cannot move from device to device, it really has far less value.
Therefore, if you manage to control the flow of data, or even the storage of data, either through hacking or even legal methods like charging for data as an ISP, you really are in a position of extreme power.
If a country is able to decrease the cost of data traffic, it becomes competitive on an international scale.
Who is a Cybercriminal?
Cybercriminals are well paid computer nerds and entrepreneurs who have turned to the dark side.
They are not what TV makes them out to be and probably not sitting in their basement in horrible boxer shorts being fed cookies and coffee by their gran.
Most Cybercriminals are between the ages of 29 and 49 years old, and 3 out of 4 are male.
Other than these profile traits, you can categorize these criminals into skill sets:
Points specific to Financial Industry.
Get your coffee topped up for this section.
The Norton report of 2017 said 978 million customers were affected by cybercrimes with a loss of $172 billion. Then one year later, the President of the World Economic Forum said that losses from cyberattacks approached USD 1 trillion. That is a gigantic increase over just a few months. Some examples of these losses:
Not all attacks lead to profits, some just create damages like The NotPetya attack with a loss of $300m.
Criminals monitor the published vulnerabilities in the sector and exploit them before security is able to update defences and most attacks are made by groups. Some examples of Digital Gangs:
How a Target in the Financial industry is picked.
This is a generalised crime scenario and a target is picked based on the criminal’s technical abilities and knowledge of internal banking processes.
It is everyone’s responsibility to assess vulnerabilities, take action and mitigate risk.
Technology is both the threat but also the solution to this crime wave, if we can just manage the human factor.
For the Individual:
For the Corporate:
Where to report Cybercrime.
Reporting Cybercrime in South Africa
Please feel free to send any questions or comments. My other articles are at: http://www.jeanpierremurraykline.co.za/mediaarticlesinfoseospecialist.html
If you want to be the first to hear more news on tech, marketing and other related information, be sure to follow me on Fa**bo*k: https://www.facebook.com/Jean-Pierre-Murray-Kline-1811395325773068/
Published April 2019