So you think your passwords keep you safe against cybercrime?
From the Direct Marketing Association of South Africa
‘Some consider South Africans blasé when it comes to protecting their vital personal information; others feel that the rising number of inexperienced Internet users in South Africa is making this country a prime target for ‘cybercrooks’. According to the 2012 Norton Cybercrime Report, we are third only to Russia and China.’
This is the message from DMASA COO Alastair Tempest, whose close involvement with various entities attempting to eradicate cybercrime, has given him a deep understanding of the problem.
‘As the Association representing the interests of the South African indirect and direct marketing industries – along with all the peripheral industries – we are extremely conscious of the ease with which vital data is accessed by those using it for immoral purposes. POPI should protect the consumer against the illegal use of personal information within the Republic, but what can we do to protect the consumer against foreign scam and against himself?’
‘The cyber-criminal is an expert when is comes to using DM,’ he continued. ‘Obviously, the ultimate aim is to steal either money or information, with the consumer providing the easiest target for monetary enrichment. And unfortunately, the average consumer makes it extremely easy for that theft to take place.’
But what does this mean to the ‘man-in-the–street’? Even those with a good understanding of the dangers lurking in the ether can become so blasé that costly mistakes are made.
Cybercrime and the sa consumer
This subtle form of crime pervades our daily lives. In a recent survey held in the UK by Experian, it was found that ‘many British internet users who are fully aware of the dangers of clicking on suspicious looking web links or opening unsolicited e-mail do so anyway. One in six Britons admit to opening so-called ‘spam’ e-mails just to see what they say, whilst one in 50 go a step further and click on the web links in spam e-mails.’
As part of its research Experian set up eight fake e-mail accounts to see what would happen when hackers got hold of the details. All eight were taken over within five hours, by criminals based in countries ranging from Albania to Brazil. The first messages to be read in the account were e-mails related to passwords, followed by messages between friends and family. Experian tracked about 9.49 million items of personal data being traded in 2010, rising to 19.04m last year and likely to be nearly 40 million by the end of 2012.
The UK’s National Security Strategy in 2010 classed cyber security as one of our top priorities alongside international terrorism, international military crises and natural disasters.
And in the US, President Obama declared that the ‘cyber threat is one of the most serious economic and national security challenges we face as a nation.’ On 12 February 2013, shortly before he delivered his annual State of the Union address, President Obama signed an executive order entitled ‘Improving Critical Infrastructure Cybersecurity.’
Research has been undertaken not only in South Africa, but across Africa as a whole. ISG founder and Wolfpack MD Craig Rosewarne released South Africa’s first Cyber Threat Barometer in 2012. The survey found that ‘the African continent is particularly vulnerable to cyber security threats. With cheaper and faster Internet, more Africans will be continually connected, increasing the number of ‘new’ Internet users who are not security-savvy.’.
There are many ways, seemingly innocuous, in which we can be scammed…. The most common ’stings’ include:
E-mail scams
It’s amazing how many misunderstood African princes there are out there, desperate to claim their rightful inheritances, but needing the assistance of a stranger’s bank account! There’s an expression that should be part of every e-mailer’s litany – ‘I understand that if it looks too good to be true, it almost certainly is, so I will leave well alone’.
A scam unearthed by Symantec in February of 2012 involves the impersonating of an accounting department of a random firm. A message is received by e-mail from the ‘firm’, informing the recipient an amount has been paid into his or her account and confirmation must be acknowledged by return of e-mail. An HTML attachment shows a faint deposit slip.
Before a response can be made, the deposit slip disappears. A further message is sent, telling the recipient that email contact has been lost and signing in again is necessary to view the slip. The researchers from Symantec warn ‘On clicking the only optional button, users are shown a website that resembles a well-known bank login page. If users input their bank credentials or their e-mail address on this page, their information is sent to the scammers and may be used for nefarious purposes.’
Web-based scams
‘We are told constantly about scams involving banks, and the financial sector is really vigilant when it comes to protecting the right of access to bank accounts, for example,’ said Tempest. ‘Again, though, banks can have the most sophisticated security software available, but if the very person they are trying to protect is lax or irresponsible with their personal data, then what can the banks do?’
South Africa has the dubious honour of having the largest number of ‘phishing’ attacks in the world when it comes to internet banking.
Tempest continued, ‘Basic common sense should warn us that our bank would not send an open e-mail requesting us to confirm our banking details, yet so many otherwise-intelligent consumers willingly reply to the e-mail with vital personal data.’ He acknowledges that the cybercrooks are getting more and more proficient at copying banking websites. ‘Look for the ‘padlock’ logo that will tell you the site is secure. If that isn’t there, then assume you are being targeted. However, to be on the safe side, do not reply to any bank message. If you get an e-mail or SMS requiring information, call the bank immediately.’
Viruses – the way in for key loggers
Browsing the internet and downloading files is a daily occurrence for most consumers. If the anti-virus is a good one, and is current, then this practice is relatively safe. If the security is not up-to-date, details such as bank accounts can easily be compromised.
Botnet (or Zombie army)
A survey undertaken by the Russian-based Kaspersky Laboratories reported that botnets posed a bigger threat to the internet than spam, viruses, or worms.
A Botnet or Zombie army is created when computers, often those used at home, are set up to forward spams and viruses via the Internet. (Any such computer is referred to as a zombie – in effect, a computer ‘robot’ or ‘bot’ that serves the wishes of some master spam or virus originator. Source: Margaret Rouse February 2012). A botnet can be used to launder money through a global network, for example, even when the affected computers are switched off.
To prevent your computer becoming an unwitting purveyor, ensure your firewalls are effective and current.
The McAfee Threats Report: First Quarter 2012 makes fascinating reading. It seems that there is a ‘shopping list’ of botnet packages offered by underground forums! The survey was undertaken to expose threats to the United States; figures for South Africa are not available.
In an article on the ZeroAccess bot, James Wyke of Sophos Labs (Naked Security 19 September 2012) revealed that the current version of ZeroAccess has been installed on computers over nine million times with the current number of active infected PCs numbering around one million. They found the IP addresses of infected machines from a total of 198 countries ranging from the tiny island nation of Kiribati to the Himalayan Kingdom of Bhutan!
Mobile and ‘Phones
Cybercrime is affecting cellphones in earnest by attracting unsuspecting consumers to call a ‘local’ number which makes an international prime cost call. Consumers call the original number and are put on hold, or are treated to a long chat with an operator. Meanwhile, their cellphone bill increases! There are also ‘vishing’ – the telephonic version of ‘phishing’ – attacks on cellphones.
Social media
The constant use of social media platforms could allow users to be targeted, as family names and addresses can be traced from information given on sites such as Facebook and LinkedIn. The rapid rise of internet users sharing information across social network platforms and the increase in the number of smartphones puts unwary consumers at great risk
June 2012 ‘saw a major victory for the online hacking community: six million encrypted passwords were successfully ‘stolen’ from LinkedIn and published on a Russian website, along with an open invitation for hackers to decrypt the data,’ according to Thalia Randall in an article entitled ‘The digital dangers of LinkedIn’. In the feature, Panda Security country manager Jeremy Matthews said it also highlighted something about South African internet users: a naive ‘carelessness’ about security measures online. ‘As South Africans, we’re very conscious of physical security and traditional crime. But [what we don’t realise] is that there is as much danger in the online world as there is in the physical one.’
E-commerce
Buying and selling on the internet is increasingly popular. Credit cards are normally used as a payment facility, but carelessness can lead to the leaking of private account information.
Laptop theft
This form of theft from corporate firms is on the increase. Valuable information stored in the laptop is sold to market competitors, leading to huge financial losses and the loss of vital data.
You are the weakest link!
Be honest, now – how many of you use the same password for multiple accounts – and how often do you change your passwords?
Remembering multiple passwords isn’t easy, and writing them down to carry in your wallet is not very clever, although it’s amazing how many consumers carry their banking details and their password information around with them.
‘Although there are new techniques to make internet banking more secure, cyber criminals attack the weakest link, which is the user,’ said Professor von Solms, a research professor in the Academy for Computer Science and Software Engineering at the University of Johannesburg.
And it would seem that the lax attitude in choosing ‘safe’ passwords is more common than one could imagine.
In ‘Enter the perplexing password’, Oliver Burkeman revealed that in September of last year ‘an analysis of leaked pin numbers revealed that about one in 10 of us uses ‘1234’; a recent security breach at Yahoo showed that thousands of users’ passwords were either ‘password’, ‘welcome’, ‘123456’ or ‘ninja’. People choose terrible passwords, even when more is at stake than their savings. Among military security specialists, it is well known that at the height of the Cold War the ‘secret unlocking code’ for the United States’s nuclear missiles was 00000000. Five years ago, the BBC’s Newsnight programme revealed that until 1997 some British nuclear missiles were armed by turning a key in what was essentially a bike lock. To choose whether the bomb should explode in the air or on the ground, you turned dials using an Allen key, Ikea-style. There were no pass codes at all. Speed of retaliation, in the event of an enemy attack, counted for everything.’
The fight against cybercrime is intensifying
South Africa is positioning itself as a leading developer in anti-cybercrime through partnerships with countries such as the USA and the UK. SA’s government is also breaking new ground in the fight against cybercrime.
In October 2012, Tempest was invited to represent SA at the eighth meeting of the London Action Plan (LAP), where it was noted that as the LAP increased collaboration between the regulators, regulatory authorities, police and self-regulation, the spammers constantly widened their nets, developing and using new techniques.
Her Excellency Dame Nicola Brewer, British High Commissioner to South Africa, Swaziland and Lesotho outlined steps taken by the UK. ‘To support the implementation of our objectives we have committed new funding of £650m over four years for a transformative National Cyber Security Programme to strengthen the UK’s cyber capabilities. In November 2011 the UK Government published a Cyber Security Strategy (available online), setting out how the UK will tackle cyber threats to promote economic growth and to protect our nation’s security and our way of life.’
In the 2012/2013 South African Cyber Threat Barometer, funded by the British High Commission, information is given on the more effective international initiatives formed to counteract cybercrime. ‘The Council of Europe (COE) established the Budapest Convention of Cybercrime (standards: CETS 185) which is recognised as an important international instrument in the fight against cybercrime. The main capacity-building project and driver of the COE’s action against cybercrime has been the Global Project on Cybercrime.’
The report continues, ‘Nations supporting this Convention agree to have criminal laws within their own nation to address cybercrime, such as hacking, spreading viruses or worms, and similar unauthorised access to, interference with, or damage to computer systems. Each country should have a single point of contact for international co-operation in cybercrime investigations.
South Africa and many other countries signed the COECC Convention on Cybercrime as a multilateral instrument to address the problems posed by criminal activity on computer networks. However, many states still have to sign, let alone ratify, the Convention to serve as a deterrent. South Africa has signed the Convention, but has to-date not ratified it. The unanimous participation of all nations is thus required to achieve meaningful collaboration.’
Tempest warned, ‘While this is excellent news, and the initiatives being put in place are indeed impressive, the DMASA feels it is imperative to remind both the DM practitioners and the consumers that security measures should be put in place right at the source – i.e. with the consumers themselves.’
A more mature, educated attitude to securing our personal information is needed.
•Passwords are vital; while acknowledging the difficulty of creating – and memorising – multiple passwords for multiple accounts, the consumer must work out a system whereby ‘intelligent’ passwords are used. Don’t use your name, your dog’s name, the names of your children, for example.
•When using the internet for banking, be sure to use the ‘log off’ function.
•Be aware of how much information you are sharing through the social media platforms.
•Extreme caution must be taken when buying and selling on the internet. EFTs are often more secure than handing out credit card details.
•Security has to be of paramount importance within any business organisation. As previously stated, small businesses in SA are increasingly at risk. Spend as much as you can on sophisticated anti-virus software.
•Laptops should be kept under lock and key when not in use. I know of businesses whose entire data has been stolen through disgruntled employees deciding to enhance their salaries by selling information.
•Keep abreast of the latest developments in cybercrime. An educated consumer will not become a victim…
Cybercrime is highly profitable. It’s convenient, inexpensive and perpetrators are far less likely to be caught.
Arm yourself!