He’s making a list, checking it twice, but unfortunately this holiday season, while Santa is sleeping, it is none other than a greedy cyber-criminal that is making plans to steal your good tidings, regardless of whether you were naughty or nice. The latest headlines on the street read, “Online retailers braced for biggest cyber crime Christmas of all time!” As Christmas bells are ringing, the experts in the know are claiming that hackers are ramping up their game to spoil everyone’s fun over the holidays.
Confusion typically reigns in retail over the next forty-five days, as shoppers make a mad dash to secure bargains for their families, friends, and loved ones. Banks, credit card processors, and the card associations gear up during the summer months to make ready for a doubling in transaction volume. Transaction volumes on the Internet, however, tend to grow more quickly year over year, a reflection of how convenience on the web now outweighs the need to touch and feel everything at the point of sale.
The Internet has indeed made our lives more convenient on several fronts, but it has also enabled the criminal element in our society to devise schemes that are much more difficult to detect and to prevent against than those of yester year. In the physical world, you could see a would-be threat approaching, and then walk the other way, but in the cyber world, all bets are off. The crooks have sophisticated ways of accessing your accounts without your knowledge. In many cases, they can hit and run, then disappear, with you being none the wiser. Such is life in today’s modern Electronic Age.
Why are security experts so concerned about this holiday season?
In a recent article in “The Guardian”, a reporter announced that, “Over the past 90 days, ThreatMetrix, which authenticates transactions on behalf of 4,000 customers across the world, has detected 45 million attempted attacks against online retailers, a 25% increase on the previous quarter. The company, which analyzes 1 billion transactions each month, has warned that the festive period will attract more attempted hacks than ever before.” With Cyber Monday, November 30th, days away, the time to be wary is now.
Or is it? Major security breaches over the recent past have compromised well over 100 million individual accounts, and these figures only represent one crime ring that was recently apprehended. More on that later, but your private information may already be in the criminals’ domain of potential targets, due to these prior break-ins. According to Vanita Pandey, senior director, strategy and product marketing at ThreatMetrix, “The third quarter yielded record numbers in attack attempts. The ultimate victims are the consumers whose digital identities are increasingly compromised with each subsequent breach.”
The time is now to change passwords on critical financial accounts, if only as a precaution. You might also check the security settings on your PC and smart-phone to block pop-ups, the favorite avenue for loading malware on your personal devices. Pandey goes on to add, “Cybercriminals don’t sleep when it comes to attacks – the majority of the attempts we saw were in the e-commerce space and retailers must stay on their toes when it comes to protecting digital identities during what is sure to be the largest digital season to date for online and mobile transactions.”
Cyber crime has been growing at astronomical rates for the past decade. Best estimates put the total cost in both direct losses and lost time and effort to be approaching $1 trillion annually. Rates of growth a few years back were measured to be 50% per annum, but the intel from above suggests the holiday growth figure is easily topping 25% quarter-to-quarter. Alisdair Faulkner, the ThreatMetrix chief products officer, explains, “There is an ongoing cat and mouse game between cybercriminals and businesses. We are living in a dystopian post-breach world where our trusted and established paradigms are fast changing.”
What is the latest cyber-crime news on the law enforcement front?
This week witnessed a rare victory for U.S. prosecutors over what has been called “Securities fraud on cyber steroids.” According to just one article on the topic, “U.S. prosecutors on Tuesday unveiled criminal charges against three men accused of running a sprawling computer hacking and fraud scheme that included a huge attack against JPMorgan Chase & Co and generated hundreds of millions of dollars of illegal profit.”
In 2014, JP Morgan Chase, our nation’s Number One bank in asset size, was breached. Names, addresses, and emails were accessed for 83 million accounts. From 2007 forward, another 17 million accounts were compromised from the likes of E*Trade Financial Corp, Scotttrade Inc., TD Ameritrade Holding Corp, Fidelity Investments, and News Corp’s Dow Jones unit, which publishes The Wall Street Journal.
The criminal charges outlined a global network that involved servers and computers in Egypt, South Africa, and Brazil. Illegal credit-card payments entered the system via a merchant operation in Azerbaijan, while the funds were laundered through 75 shell-company accounts held in Cyprus and across the world. The size of the operation was mind boggling, but therein laid its weakness. Law enforcement officials, who have a struggle at best trying to detect these activities, were able to get two former accomplices to spill the beans and cooperate.
Further investigation led to indictments: “The men charged—Joshua Samuel Aaron, Ziv Orenstein and Gery Shalon—are all from Israel. Mr. Aaron, who is also an American, is believed to be in Russia. The other two are under arrest in Israel. Other alleged conspirators are as yet unidentified. The charges involve many crimes, including running illegal internet casinos, handling the proceeds of other criminal activity, hacking into the computers of business rivals, and manipulating stock prices.”
How did this crime ring convert account information into $100 million?
The men charged were definitely professional criminals, but, apparently, they were not IT specialists. Investigators discovered that they had purchased their hacking software on the Internet black market, a disturbing fact for security experts since this rudimentary off-the-shelf program was able to bring down one of the world’s most sophisticated banks. JP Morgan Chase has since committed over $250 million and a staff of 1,000 strong to prevent a recurrence of such a colossal breach in the future.
Bank officials also assured the public that perpetrators had not accessed any sensitive data, like account numbers, passwords, user IDs, birthdays, or Social Security numbers. How then were the crooks able to amass such a fortune, said to be $100 million spread out over several Swiss bank accounts?
The process to beware of is called “phishing”. The crooks do have your name and email address, along with whatever they can also obtain from social media, a public database that is free and unobstructed. The first step in the process would then be to send what would appear as a notification from the bank that your account has been compromised. A link would be included to help you change your password, which might also install malware on your PC that would report future keystroke information back to the crooks.
The thieves could then sell this information to other crime rings or attempt to drain your accounts with phony transfers when you least expected it. This particular crime network, however, devised a broader scheme for raking in the dough. They set up a “pump-and-dump” stock operation that cold-called clients and persuaded them to purchase thinly-traded stocks on the stock exchange. The crooks had already purchased these shares. When new demand pumped up the stock price, the shares were sold for a tidy profit. Unwitting consumers were left holding a bag of air, so to speak.
Was it difficult getting people to buy these obscure securities? One crook confided in an accomplice that, “It’s like drinking freaking vodka in Russia.” Breaking security laws, however, was not enough for these guys. The criminals also chose to broaden their net with other tempting devices to amass more millions. Authorities revealed that there were over a dozen illegal Internet gambling websites and even a Bitcoin exchange that helped to bring in even more. The criminal element is both sophisticated and innovative.
What kind of prevention tips do the experts suggest for blocking cyber crooks?
The Semantec Corporation is famous for its Norton software, and by one account, “Symantec is the global overall market leader in Endpoint Security, Email Security, Data Loss Prevention and SSL Certificates.” From their perspective, cyber-crime prevention is fairly straightforward. These modern criminals like to hit and run by attacking the weakest links in the chain. If they encounter resistance, they move on to greener pastures. The solution is then to make it harder for them to penetrate your defenses, so that they do move on quickly. Here are seven basic prevention tips:
- Keep your computer current with the latest patches and updates.
- Make sure your computer is configured securely.
- Choose strong passwords and keep them safe.
- Protect your computer with security software.
- Protect your personal information.
- Online offers that look too good to be true usually are.
- Review bank and credit card statements regularly.
The last tip is of particular importance. You do have consumer rights when it comes to reversing various posting errors on your accounts, but there may be specific timeframes that require action on your part or your rights might expire.
According to U.S. Attorney Preet Bharara, who reiterated at a press conference in Manhattan, “By any measure, the data breaches at these firms were breathtaking in scope and in size and signal a brave new world of hacking for profit”. Make no mistake about it, this crime network was one of the biggest cyber-crime rings in history, but it is only the tip of the iceberg. The basic problem is that the crooks are adapting and evolving at a pace that is greater than the ability of our lawful economy to protect itself.
As long as this development “gap” persists, the greater the importance in being ever vigilant in protecting your personal interests. Avoid any and all attempts to “phish” your personal identity information. If you are approached by mail or email by one of your account providers, call them directly to validate their supposedly private contact. You also can change your passwords from time to time, block Internet pop ups, and beware of offers too good to be true. Lastly, mobile devices do leave “digital footprints” that can be exploited. Better to watch out these holidays and be safe, rather than sorry!