User factor in cyber breaches
More often than not, even the bare minimum security blocks are not put up
More often than not, even the bare minimum security blocks are not put up |
When Mark Zuckerberg’s Twitter account was hacked in 2016, most people assumed that the attackers had used some form of complex malware to target the CEO of one of the biggest tech companies in the world. But soon the hackers tweeted (from Zuckerberg’s Twitter handle) that they had found his password on a leaked LinkedIn database, and the tech industry discovered the password was a simple six-letter sequence that defied every safety recommendation in the industry (“dadada”).
The infiltrators were able to use the same password to access his Pinterest account because it carried the same password. It may be surprising to learn that one of the most powerful men in tech chose not to follow one of the most basic cyber security rules — to use a different, complex password for each online account.
But as an information security specialist at a UAE bank, I’m not all that surprised — the weakest link in the security chain is people themselves.
Don’t get me wrong. Malware still poses a significant threat to corporations, whether in the form of viruses, trojans or more recently as ransomware. According to the Centre for Strategic and International Studies, cybercrime costs the global economy over $600 billion (Dh2.2 trillion) every year (nearly 1 per cent of GDP). The UAE — one of the most targeted countries in the world for cyberattacks — incurs an estimated $1.4 billion in costs per year. But cyber security breaches aren’t all that sophisticated, actually. In their annual data breach investigations report, Verizon disclosed that over 40 per cent of data breaches in 2016 used social engineering techniques. Social engineering essentially refers to ways that a criminal tricks a person into revealing sensitive information with the intention of using it fraudulently.
Research shows that in 2016, 15.4 million consumers were victims of identity theft or fraud. Card-not-present fraud (by phone or email) increased by 40 per cent from 2015 to 2016. The UAE is certainly not immune. The BBC recently reported a hard-to-believe account of a fraudster who purportedly scammed $242 million from a UAE bank — by professing that he had magic powers.
When the stakes are so high, why do people continue to fall for scams? We laugh at the mention of a call or email from a Nigerian prince offering a long-lost inheritance or exclusive prize — but they are much more effective than we’d like to believe.
Tailored scams
In this region, cyber criminals often target the general public via phone or email, asking them to share their online banking credentials or credit card details under the guise of a lucky win or the re-validation of their bank account. They tailor their scams to the UAE, where it’s not unusual to be picked out for a shopping festival raffle or a cash prize, gold or even a car through your bank.
They get away with these unrealistic imitations by taking advantage of the cultural norm. They also target our tendency to be lazy when it comes to changing our passwords. Most people don’t consider that a hacker could, for example, use their leaked LinkedIn, Dropbox or Yahoo password to try and access their online banking account.
On top of a trusted technology platform, we need to train people to understand, follow and implement reliable procedures. The term “last-mile problem” is often used in information security to describe incomplete education, awareness and training for the people tasked with operating security systems and processes. This means that the transfer of important security information into the hands of staff, vendors, partners, and customers is often flawed.
We need to widen our approach to change the way that the people operating and impacted by the technology think and act.
One of several ways to help drive behavioural change is to slow down the security decision-making process by introducing more safety valves. We know from research that decisions made in a hurry are significantly influenced by emotions, rather than by logic or experience. We can encourage people to request more information or other forms of communication from solicitors so that they have more time to assess whether they are genuine or not.
But on a personal level, there is one form of technology that has helped me to manage my own security better, and that is a password manager — a secure app that works like a vault to store all account passwords and help create strong new passwords.
With a password manager, I only need to remember one strong password that gives me access to the app. I make sure that the app is secure by choosing one that has been thoroughly reviewed and is available from the official Android and Apple app stores. This is an example of a technology helping people to apply security in a practical and convenient way, which I encourage everyone to use.
Brian Byagaba is senior manager — Information Security at Commercial Bank International.