The findings of Verizon’s 2019 Data Breach Investigations Report have reminded companies that let customer information go astray that they could be facing big fines and damaging publicity.

The Report

The annual Verizon Data Breach Investigations Report (DBIR) draws upon information gained from more than 2,000 confirmed breaches that hit organisations worldwide, and information about more than 40,000 incidents such as spam and malware campaigns and web attacks.

Big Fines

The report reminds companies that although personal data can be stolen in seconds, the effects can be serious and can last for a long time. In addition to the problems experienced by those whose data has been stolen (who may then be targeted by other cyber-criminals as the data is shared or sold), the company responsible for the breach can, under GDPR, face fines amounting to 4 percent of their global revenues if it has been judged to have not done enough to protect personal data or clean up after a breach.

Senior Staff Hit Because of Access Rights

It appears that senior staff are a favourite target of cybercriminals at the current time.  This is likely to be because of the high-level access that can be exploited if criminals are able to steal the credentials of executives. Also, once stolen, a senior executive’s account could be used to e.g. request and authorise payments to criminal accounts. The report also highlights the fact that senior executives are particularly vulnerable to attack when on their mobile devices.

Booby Trap Emails Less Successful

The report also states how sending booby-trapped emails (emails with malicious links) is proving to be less successful for cyber-criminals now with only 3 per cent of those targeted falling victim, and a click rate of only 12 per cent.

What Does This Mean For Your Business?

The report is a reminder that paying attention to GDPR compliance should still be a very serious issue that’s given priority and backing from the top within companies, as one data breach could have very serious consequences for the entire company.

Senior executives need to ensure that there is a clear verification and authorisation/checking procedure in place that all accounts/finance department staff are aware of when it comes to asking for substantial payments to be sent, even if the request appears to come from the senior executives themselves via their personal email. Obtaining the credentials of senior executives can also mean that cyber-criminals can operate man-in-the-middle attacks.

Executives and staff need to be aware that if a high-level email address has been compromised the first thing they may know about it is when funds are taken, so cyber-security training, awareness and policies need to be communicated and carried with all staff, right up to the top level.

The low level of booby trap emails being successfully deployed could be a sign that businesses are getting the message about email-based threats, or it could be that criminals are focusing their attention elsewhere.

The G7 nations will be holding a simulated cyber-attack this month to test the possible effects of a serious malware infection on the financial sector.

France

The attack simulation was organised by the French central bank under France’s presidency of the Group of Seven nations (G7).  The three-day exercise will be aimed at demonstrating the cross-border effects of such an attack and will involve 24 financial authorities from the seven countries, comprising central banks, market authorities and finance ministries.  It has been reported that representatives of the private sector in France, Italy Germany and Japan will also participate in the simulation.

Why?

As reported in March in a report by the Carnegie Endowment for International Peace (co-developed with British defence company BAE Systems), state-sponsored cyber attacks on financial institutions are becoming more frequent, resulting in destructive and disruptive damages rather than just theft.

The report highlighted how, of the 94 cases of cyber attacks reported as financial crimes since 2007, the attackers behind 23 of them were believed to be state-sponsored.  Most of these state-sponsored attacks are reported to have come from countries such as Iran, Russia, China and North Korea.

The report pointed out that the number of cyber attacks linked to nations jumped to six in 2018 from two in 2017 and two in 2016.

State-sponsored attacks can take the form of direct nation-state activity and/or proxy activity carried out by criminals and “hacktivists”.

State-Sponsored Attacks – Examples

An example of the kind of state-sponsored hacking that has led to the need for simulations is the attack by North Korean hackers on the Bank of Chile’s ATM network in January, the result of which was a theft of £7.5 million.

Also, in 2018 it was alleged that North Korean hackers accessed the systems of India’s Cosmos Bank and took nearly $13.5 million in simultaneous withdrawals across 28 countries.

As far back as 2016 North Korean hackers took $81 million after breaching Bangladesh Bank’s systems and using the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).  The perpetrators sent fraudulent money transfer orders to the New York branch of the U.S. central bank where the Dhaka bank has an account.

What Does This Mean For Your Business?

An escalation in state-sponsored attacks on bank systems in recent years is the real reason why, in addition to fending off cyber-criminals from multiple individual sources, banks have noted an evolution of the threat which has forced them to focus on sector and system-wide risks.

As customers of banks, businesses are likely to be pleased that banks, which traditionally have older systems, are making a real effort to ensure that they are protected from cyber-attacks, particularly the more sophisticated and dangerous state-sponsored cyber-attacks.

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

What’s The Problem?

Gartner predicts that there will be 14.2 billion ‘smart’, internet-connected devices in use worldwide by the end of 2019.  These devices include connected TVs, smart speakers and home appliances. In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cyber-criminals the IoT devices can be hacked in order to steal personal data, spy on users or remotely take control of devices in order to misuse them.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

New Law

The proposed new law to make IoT devices more secure, put forward by Digital Minister Margot James, would do two main things:

• Force manufacturers to ensure that IoT devices come with unique passwords.
• Introduce a new labelling system that tells customers how secure an IOT product is.

The idea is that products will have to satisfy certain requirements in order to get a label, such as:

• Coming with a unique password by default.
• Stating for how long security updates would be made available for the device.
• Giving details of a public point of contact to whom cyber-security vulnerabilities may be disclosed.

Not Easy To Make IoT Devices Less Vulnerable

Even though legislation could put pressure on manufacturers to try harder to make IoT devices more secure, technical experts and commentators have pointed out that it is not easy for manufacturers to make internet-enabled/smart devices IoT devices secure because:

• Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.
• Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.
• With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such, these devices are likely to remain available to be used by cyber-criminals for a long time.

What Does This Mean For Your Business?

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having, by law, to display a label that indicates how safe the item is could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater when faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as is the plan with this proposed legislation.

The hope from cyber-security experts and commentators is that the proposal isn’t watered-down before it becomes law.

Later this month, Google will be rolling out 3D Augmented Reality (AR) in its search results, a change which could allow retailers to show their products online in a way that enables customers to a virtually ‘try’ those products and see them in situ before buying them.

Shown At Phone Launch

Google showed how 3D AR could work in search results to attendees of the launch of its Pixel 3 smartphone at its annual developer’s conference. At the phone launch, Google’s Vice President, Aparna Chennapragada, used a superimposed animation of a shark and a 3D exploration of a pair of New Balance running shoes to illustrate how potential customers could superimpose a 3D AR image of a product on their own chosen backdrop (‘you space’).  This would allow customers to see just how a product would look in situ if they were to purchase it.

Brands

Examples of the brands that Google is reported to have been working with in order to develop optimised links to 3D AR versions of their products in Google’s search results include New Balance, Samsung and Volvo.

Other Uses of AR

Google users may already be used to seeing AR in action as part of Google Maps, where users can switch from map to an AR representation with directional arrows by clicking on the ‘satellite’ link and then by clicking on the route. This feature allows users to follow arrows along a drivers-eye route, change direction, and zoom in and out.

AR and VR

Back in October 2017 Ordinance survey introduced AR to its mobile app so that users could point their smartphone at the world around and see labels about places of interest and get a reading of how far away they are.

In February this year, breakfast cereal manufacturer Kellogg’s announced that it had been working with third-party VR companies to help it determine the best way to display its new products in stores. The pilot scheme used VR to give test subjects an immersive and 360-degree experience of a simulated store environment in which they were able to ‘virtually’ pick products, place items in shopping trolleys and make purchases.

What Does This Mean For Your Business?

Using AR to show 3D AR versions of products in the search results will enable companies to get their product instantly in front of consumers in a way that allows them to engage with those products on-demand, have a good look around the products, and virtually try them out and see how they could fit in with their lives.  This may be particularly important for products linked to self-image and lifestyle perceptions.  This could prove to be a valuable sales tool with considerable potential for all manner of products.

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

What Kind of Attack?

Technical commentators have identified the attack on WhatsApp as a ‘zero-day’ exploit that is used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp has been hijacked and the spyware loaded onto the phone, it can, for example, access encrypted chats, access photos, contacts and other information, as well as being able to eavesdrop on calls, and even turn on the microphone and camera.  It has been reported that the exploit can also alter the call logs and hide the method of infection.

How?

The attack is reported to be able to use the WhatsApp’s voice calling function to ring a target’s device. Even if the target person doesn’t pick the call up the surveillance software can be installed, and the call can be wiped from the device’s call log.  The exploit can happen by using a buffer overflow weakness in the WhatsApp VOIP stack which enables an overwriting of other parts of the app’s memory.

It has been reported that the vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of WhatsApp.

Who?

According to reports in the Financial Times which broke the story of the WhatsApp attack (which was first discovered earlier this month), Facebook had identified the likely attackers as a private Israeli company, The NSO Group, that is part-owned by the London-based private equity firm Novalpina Capital.  According to reports, The NSO Group are known to work with governments to deliver spyware, and one of their main products called Pegasus can collect intimate data from a targeted device.  This can include capturing data through the microphone and camera and also gathering location data.

Denial

The NSO Group have denied responsibility.  NSO has said that their technology is only licensed to authorised government intelligence and law enforcement agencies for the sole purpose of fighting crime and terror, and that NSO wouldn’t or couldn’t use the technology in its own right to target any person or organisation.

Past Problems

WhatsApp has been in the news before for less than positive reasons.  For example, back in November 2017, WhatsApp was used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain bank details.

Fix?

As a result of the attack, as well as urging all of its 1.5bn users to update their apps, engineers at Facebook have created a patch for the vulnerability (CVE-2019-3568).

What Does This Mean For Your Business?

Many of us think of WhatsApp as being an encrypted message app, and therefore somehow more secure. This story shows that WhatsApp vulnerabilities are likely to have existed for some time.  Although it is not clear how many users have been affected by this attack, many tech and security commentators think that it may have been a focused attack, perhaps of a select group of people.

It is interesting that we are now hearing about the dangers of many attacks being perhaps linked in some way to states and state-sponsored groups rather than individual actors, and the pressure is now on big tech companies to be able to find ways to guard against these more sophisticated and evolving kinds of attacks and threats that are potentially on a large scale.  It is also interesting how individuals could be targeted by malware loaded in a call that the recipient doesn’t even pick up, and it perhaps opens up the potential for new kinds of industrial espionage and surveillance.