Complacency is the biggest scandal of all
“As we head towards 2015, we should be concerned. The UK is not set up to protect itself…” writes Simon Freeman, CEO of Fresh Skies.
If more is not done, cyber crime may become a tax on business
The sad reality is that the internet itself is fundamentally flawed in terms of security, to the extent that we may simply never be able to secure it to the levels that will prevent widespread fraud. Anonymity, over-reliance on trust, the ease with which criminals can commit crime and the global nature of the threat will make the internet a dangerous place – unless a paradigm shifting solution is thought up. There is none obvious at this point.
In the last year, the progress around cyber crime has been more on the side of the criminal’s sophistication and abilities than society’s willingness to address the problem.
Social engineering of email continues to improve. More ingenious content is being developed to snare the unsuspecting victim. Many of these emails now make it through multiple levels of anti-virus and malware.
We all know the big scandal that hit the headlines -145 million eBay accounts compromised including the encrypted passwords, date of birth, email addresses and mailing addresses. But is this the scandal? No, the real scandal is that, despite it being one of the biggest data thefts ever, nobody seems to show any real concern. People seemed utterly complacent about the fact that their data was stolen, and shrugged it off. Many (but not all) just changed their passwords.
The problem is deeper. Ask yourself this: how many people use the same login for eBay as they do for Gmail, for Facebook, for LinkedIn, for their banking?
It is likely that the number of people with only two or three passwords for everything they do runs into millions and millions. eBay stated they had not seen any increase in fraudulent activity. There is one aspect of an eBayer’s life that remains constant: parcel delivery. And here we enter the world of socially engineered emails. If you emailed 145 million people two or three times per year with the email containing pretty much any courier’s templated message, ‘We called but you were out’, you would probably score quite highly on the number of people who either open the attachment that typically comes with such emails or clickthrough to a fake website. If those emails contain your name and perhaps your date of birth to prove their legitimacy then they become even more convincing.
This is the world we are in. That data can never be retrieved. These criminals now have your name, address, date of birth and, with a little effort, probably your password. Even if you change your password, you are unlikely to change your name, your address and certainly not your date of birth. Their sophistication and trickery grows even faster than society’s complacency.
Fraud against business is growing online and the inability for the police to get prosecutions is well documented – they simply are not resourced to deal with this form of crime. The crime is global, so significant jurisdiction issues arise.
What should be done?
The first thing we should look at is our culture and attitude to data.
Why share so much data with so many organisations when it is out of our control?
We must start to educate society about cyber crime and the risks. Most people I deal with have little or no clue as to the risks they face even sharing minor amounts of data. They do not understand data aggregation and the sophisticated tools used to harvest our data that we freely share or, even worse, is shared without our knowledge.
Want to know how old someone is?
Just check out their various social networking pages. Many will not publish their date of birth but go on to publish the various schools they went to and in what years.
You can pin the average person down to within a year. It’s enough to use as a cross-reference to other sources of data to match. Government continues to publish data via Land Registry and Companies House data. Between those two (if a house owning director, of which there are millions) you can get the name, address, date of birth, possibly their bank and business associates, potentially their wealth indicators including share ownership and value of business.
Security providers are fighting a losing battle. To protect your data on the internet you should encrypt it. But despite many email providers offering encrypting solutions, few are taking it up.
Complacency is a big issue. U.S. Government’s attempts to force secure email providers to hand over keys has seen many providers close their doors. The consequences of this are obvious.
We should all be asking more questions. The one on my mind is this. If so much of our data is now out of our hands and in the hands of the cyber criminals, can anything at all be done or is it actually too late? Time will tell.
Cyber criminals are no doubt sitting on an incredible data asset, just working out how best to exploit what they have.
Simon Freeman
CEO, Fresh Skies Limited