Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: How a 15 year old stole $24m. Don’t worry about deepfakes – Worry about phishing emails. And it’s not impossible to defend against ransomware attacks.
This week’s action: Don’t trust your phone company with your house keys.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
THREE ARTICLES
1: Don’t worry about deepfakes. Worry about phishing emails.
What? The Register recently reported that “panic over the risk of deepfake scams is completely overblown, according to [John Shier], a senior security adviser for UK-based infosec company Sophos. [..] Shier said current deepfakes – AI generated videos that mimic humans – aren’t the most efficient tool for scammers to utilize because simpler and cheaper attacks like phishing and other forms of social engineering work very well. [..] “People will give up info if you just ask nicely,” said Shier.”
So what? There are lots of great stories about how the bad guys are using AI and the latest tech to fool us. While these stories are interesting, they shouldn’t distract us from the more likely threats and more common attacks that we face. If you are the victim of a cyber attack, it is still most likely to occur because of an email from a bad guy that fooled a staff member into doing something (e.g. clicking a link, downloading an attachment, paying a fake invoice).
2: It is not impossible to defend against a ransomware attack.
What? Ireland’s National Cyber Security Centre (NCSC-IE) recently published a very helpful infographic and short video to explain to non-techies how ransomware attacks succeed and the simple steps we should all take to reduce the risk of being the next victim of such an attack.
So what? The infographic does an excellent job of summarising the key things we can do to reduce the risks – The old reliables are all there: keeping software up-to-date; using multi-factor authentication so your password is not enough for a bad guy to gain entry; multiple backups including at least one that is stored offline. None of these security measures require a significant investment but they all provide significant benefits. Small costs. Big benefits. Isn’t that the investment equation we all want?
3: Did you know your phone company could be your weakest link?
What? The Register recently reported on a 15 year old cybercriminal who stole $24m worth of cryptocurrency from one individual by bribing a phone company employee. What’s the connection between $24m and a phone company? It is the victim’s mobile phone number. The victim had set up Multi-Factor Authentication (MFA) on their email account, which was a good thing to do. It meant a cybercriminal couldn’t gain access to this email account with just a username and password. However, the MFA was configured to send the security codes to the victim’s phone number. The 15-year old cybercriminal bribed an AT&T employee to point this phone number at a different phone, owned by the 15 year old. This is called a SIM Swap fraud. This meant that all calls and messages to this phone number went to cybercriminal. The criminal then went through the process to reset the victim’s email account password. Once in the email account, they had a look around and found information about the victim’s cryptocurrency. And from there, the money was gone.
So what? Multi-Factor Authentication is a simple step that brings significant benefits. However, not all MFA setups are the same. I know it is convenient to receive MFA security codes via text message, but it’s not very secure. It can be bypassed through this type of SIM Swap fraud. I discuss ways to deal with this in this week’s action.
TWO NUMBERS
1: < $1m
What? The current value of the $24m worth of cryptocurrency that was stolen when a 15 year-old bribed an AT&T employee, according to The Register.
So what? Cryptocurrency is not (yet) an investment. It is a gamble. There’s nothing wrong with a gamble, but we shouldn’t fool ourselves into thinking it’s responsible investing.
2: $100m
What? The amount of money stolen from Binance Bridge, one of the world’s largest cryptocurrency exchanges, after a bad guy gained unauthorised online access to its internal systems. This is according to a recent report by teiss.
So what? When was the last time we heard that an old, traditional, boring bank lost $100m because someone online gained access to their internal systems?
ONE ACTION
1: Don’t trust your phone company with your house keys
What? Going back to my earlier story about a 15 year old stealing someone’s valuables after bribing a phone company employee. MFA security codes are the keys to your online kingdom – After all, these codes probably enable access to valuable accounts, such as your email account and online banking. If you receive these codes as SMS text messages, a criminal only needs to find a way to reroute your phone number to their device to receive these keys to the kingdom. And a phone company employee is a common way for criminals to do this.
So what? In the real world, would you be comfortable knowing that an employee of your phone company could be fooled or bribed into handing your house keys to a criminal? Because, in the online world, if you allow MFA security codes to be sent as SMS text messages to your phone number, that is what you are doing. This is why it is important that you try to avoid the use of SMS for these security codes, and instead use one of the many free authenticator apps (e.g. Google Authenticator; LastPass Authenticator; Authy), which generate these security codes for you. When you use one of these authenticator apps, the criminal needs to get their hands on your physical phone before they can get these codes. Unless you happen to live near these criminals and you happen to be a high-value target, most criminals won’t bother. There are too many easier targets out there.