“The Front Lines of Digital Warfare”

June 1, 2019

Information is knowledge. Knowledge is power.

If the wrong person obtains your sensitive, personal information, how much power can they wield over you? Think about this as you read on.

“… They (hackers) called me on the phone pretending to be my bank (USAA), and informed me they needed to verify suspicious account activity. The caller ID said it was legitimate so I didn’t really question it. Of course, I had the sense to get online immediately, and look for myself. The transactions were there, in the exact amounts they had indicated. I told them it was not me, and that it was fraudulent. As this was happening, it turns out they were also on the phone with USAA, pretending to be me. They already had all of my information at this point. Card numbers, personal information – everything. The purpose of this particular phone call was to steal a large sum of money from me, as my account had transaction limits in place to prevent this. They were even sending bogus email and text notifications as I was talking to them… When it was all said and done, they had bumped my account transfer limits up, and stole $18,000 dollars from me while I was on the phone.

This conversation took place between a colleague and myself 4 days ago. He was absolutely taken to the cleaners by a couple of sophisticated (both technically and socially) hackers. One of the owners here at AVR Defense, dealt with a similar attempted attack on his USAA account the same day this conversation occurred. He is far more attuned to the modern world, however, and squashed the hacking attempt immediately.

USAA, like every corporation today, is being targeted because they have your sensitive information.

And as that incident shows, often times it is much easier to get said personal information from people instead of an encrypted database because all you need to do is get personal, and get them to let their guard down. Welcome to Intelligence Gathering 101! Have a seat. It is going to get weird now and we are going to touch your brain in places that will make you feel uncomfortable.

Want to know the unfortunate aspect of the incident involving my colleague? To prevent the attack from being as successful as it was, all he had to do was hang up the phone, and call USAA right back, which would have established an authentic line of communication with them. Crazy, huh? Simply terminating the phone call, and then reestablishing a connection on your terms can prevent you from being a victim of such thievery. Funny how a tactical mindset applied to everything you do, can even prevent you from being a victim of fraud and identity theft! You engage on your terms and conditions. You initiate the attack or counter-attack. You drive the enemy. Not the other way around.

Also quite funny, is how sometimes the most unsophisticated defensive tactics will defeat the most sophisticated attacks. Terrorist cell doesn’t want to be spied on? Easy – they simply write letters and use couriers instead of electronics to communicate and devise plans for an attack. Hacker doesn’t want to crack into your bank account directly from his/her laptop to steal money to buy “preciousss” Bitcoin? Well, go figure, there is a solution for that problem too – buys burner phone and a SIM card, downloads an app, spoofs a phone number, and then just calls you to see how gullible you are.

We’ll press on, but add this before we do: all you need to know if your bank (or anybody) ever calls you is that they will NEVER (or at least they shouldn’t) call you and start probing for sensitive information. Never. That is not the protocol on their end. So, if that happens to you, hang up immediately, search for their customer service line on the web, and call them back. Simple.

Moving on – consider the scenario of bogus phone calls, and add a more elaborate piece of technology to the attack – machine learning (commonly called “AI”), packaged with voice replication algorithms.

That “hack” now plays out like this:

  1. Hackers breach telecommunication infrastructure, and obtain audio samples in real time as you talk to your bank.
  2. Voice replication software is used to create an accurate audio image of your voice and the voice of the person (or bot) you are talking to.
  3. Hackers manually terminate the call between you and your bank.
  4. They immediately call both of you back with masked phone numbers, talk with your voice, and begin extracting sensitive information from both of you.

I mean, the call was just terminated. You immediately get a call back and you hear the same voice. How might the unsuspecting or uninformed person respond to a series of socially engineered questions, aimed to defeat information security protocols at both ends? Again, if you want personal information from somebody, a highly successful approach is to get personal, break them down emotionally, defeat those personal defenses, and gain their trust.

Example to elucidate that point: if your mother calls you on the phone, and starts asking you about your personal life, are you going to immediately assume, without question, that it is actually her based on the sound you hear? Of course you are. Why would you not, when your entire life has conditioned you to trust each of your five senses? The smaller group of highly advanced hackers (speaking of their technical prowess) are gearing up in this new war and you had better believe they are excited about the new weapons being developed right now in the tech industry.

And so it is. Here we find ourselves in the modern world. It is 2019 and technology is evolving at a nonlinear rate. And as it is with all things good and useful, there is always somebody willing and able to wield and weaponize those things to take advantage of others. It is why we can’t have nice things sometimes – people looking to exploit others for their own profit or gain.

We should talk about that too and really split open, right to the core, the issue of exploitation of people and, to be more specific - their information.

Massive data centers across the globe are keeping an intricate record of your life – where you go, live, work, and eat. Even what you buy, say, watch, and believe – yes, that is all there too, perfectly cataloged, sorted, then sold for a price in order to pitch advertisements to you as you scroll through Facebook, Google, Instagram and Twitter feeds.

As consumers, we are involved in digital warfare. Our information is on the frontlines every day, used as a sacrificial pawn, and shuffled around the board to complete the mission: money. They want your money. That is the prize for they who massively gather and sell your information.

We are not going to use ambiguous terms here, however, or cheapen the validity of that fact not explaining who "they" are. No, we will be specific. Credit card companies, banking institutions, your insurance company, your mobile service provider, your cable provider, Facebook (whom are the owners of Instagram and WhatsApp as well), Snapchat, Twitter, Google, Apple, Amazon, and the list goes on. They, specifically, want your money.

And they get what they want.

In 2017, Facebook reported upwards of $40 Billion (with a B) in revenue and EIGHTY-NINE PERCENT of that came from digital advertisements. Facebook is not the oddball, however. Google reports similar figures as well. Make no mistake about it; your information is one of the most valuable assets on the planet and hackers and corporations alike are making money hand over fist, because they own it and sell it to each other.

Mark Zuckerberg said this last year, after Facebook dealt with a global-wide cyber-security breach involving over 50 million user accounts, “This is a really serious issue and we’re taking it very seriously.”

Really? Well, explain the “very” part of that. Again, we see these vague adjectives in lieu of a real explanation. VERY seriously. “Very cool story.”

These companies are not taking this very seriously at all. Otherwise, they would not be selling your personal information to everyone willing to write a check.

Yes, war is being waged on the new digital frontier, and most of us are oblivious to it until we receive a notification from a bank, mobile service provider, or <insert every company on the planet that keeps a digital record of their customers/users and/or employees>. The simple fact is that not all companies on the planet specialize in cyber-security. However, all companies should. They should be more thoroughly engaged in the fight and they are not.

Who is doing the fighting then? Who has engaged? Realistically, a small portion of the tech industry (relative to the amount of time and resources they allocate to developing new product to push to their consumers each year). The shorthand of it this: if you want to know what a business’s priorities are, simply look at where they spend their money. The companies spend most of their money on growth, and attracting more business. That is a fact.

Somewhere, in some place, you have heard us say that you are responsible for your own security. That statement rings true with Information Security. You should engage, protecting and defending your information. It is valuable. It is damaging if the wrong person gets it. Secure it. Also, you should understand that most businesses you deal with today are behind the curve when it comes to the evolution of this warfare. Case and point: the hack of the Sony playStation Network.

14-year-old kids who wanted the account information of the users on Sony’s PlayStation network were, indeed, a few steps ahead of the electronics/tech giant.

“The Lizard Squad... What? Who is that?” was surely asked by somebody – right before that somebody was fired.

It didn’t help either that Sony was not encrypting personal information like they should have, nor did they warn users in a timely manner that their entire network was compromised. Then, they did their best to make arguments that the increased number of credit card fraud incidents being reported by their network users was completely unrelated to the recent network infrastructure blunder.

This laughable response went on with even more brazen displays of the company not wanting to take the blame for their slack approach to network and information security. In late 2011, after being slammed by a series of class action lawsuits, Sony changed their Terms and Conditions, requiring users to agree to give up their right (to join together as a group in a class action) to sue over any future security breach, without first trying to resolve legal issues with an arbitrator. Motivated by the damage done to them in the ongoing aftermath of their abysmal failure, the new agreement cleverly included any ongoing class action suits initiated prior to August of 2011 as well!

Somebody please queue the slow clap on the soundboard.

Do yourself a huge favor the next time you see some “T’s and C’s” pop up on your phone – read them. You will see just how invasive the tech industry is when it comes to gathering and selling your information. Wording, when dealing with issues of legality, is crucial. And they're precise with it.

Here’s an example of this that is far too broad for my liking. On an Android device (Google’s mobile device software) in the “App Info > App Permissions” setting you see “tickers” for what level of access the application is allowed. Phone calls, contacts, media, etc. If you’ve ever install a new app, and opened it for the first time, you’ve seen messages similar to this: “Allow this app to access the media/storage of this device?” What it does NOT say is this: “Allow this app to access the media/storage of this device, for the sole purpose of basic functionality directly related to the UI and intended use of the app alone.” Think. About. That. Wording – it is crafted with precision here. When you agree to “Yes, you may have access to my contact information, Application X” you are handing over every bit of data that app processes, writes, and stores ever. How else do you think you are able to get these cool notifications about your friends just recently installing it?

Companies who engage in this type of behavior want your information. They are clever about how they get it and how they are not liable for the way they decide to use it. They want it because it is valuable. And they do not truly care about this war. They care about growth, keeping your attention, and keeping your business.

Have you ever wondered why the notification icon on your Facebook page is RED and has a counter? It is because studies have proven that red anything in front of your face is obnoxious to you, psychologically, and your brain says, “Oh, you need to make that go away.” It is nothing more than bait on the hook, enticing you to engage with the platform, which brings more traffic, more activity, more ads, more ad revenue, etc. It's down a point.

There is simply too much to discuss on this particular topic and I think you see our point about the importance of keeping sensitive information secure. So, all of that said – we are going to wrap up this month’s newsletter by bulleting some actions you can take immediately to do a slightly better job at keeping your information secure, while better protecting yourself from hackers and fraud. Here we go...

  • Only use ATMs inside your bank, if possible. This increases the likelihood that it wasn’t tampered with
  • Use cash whenever possible. Cash is king. No digital information is passed with cash
  • Store money in separate accounts and have a dedicated account for online purchases. Move money into it right before you are going to use it. This puts smaller portions of money at risk and allows you some indicators when you review account activity or receive alerts. If activity is outside of the protocol, you have cause to investigate
  • Use cash for all shopping around the holidays, especially if you are one of these freak Black Friday shoppers
  • Speaking of Black Friday, just go ahead and avoid “Cyber Monday” altogether… unless, of course, you have that dedicated online shopping account set up! The key, as always, is minimizing the risk if it actually happens. Keep that in mind
  • Do not use bio-metric alternatives to pin codes and passwords on your mobile devices, or anything for that matter. Face ID and fingerprint scanners are too easy to defeat if somebody gets a hold of your electronic device
  • Use two-factor authentication to access accounts that you need to maintain with stricter security protocols. This is an encryption method that is difficult, nearly impossible, to defeat. Banking and credit institutions are beginning to implement this method, and encouraging their customers to use it. Check if yours does and use it.
  • Do not play the cold-call game, where one is warning you about how much money you owe, or about the alleged fraud activity, or how your card is not working anymore, etc. Hang up and call them back, to ensure your connection is legitimate. These are phishing attempts. Do not be a sucker
  • Do not click any “sign-in here” links in emails from your bank, or any organization for that matter. Open your browser and go directly to their webpage. Too easy to build a bogus website that looks legitimate
  • Set MMS and all other media settings of your mobile device to not automatically download. This prevents an unknown number from messaging you, and downloading malware to your mobile device without your knowledge
  • STOP CONNECTING TO THE COFFEE SHOP WI-FI!
  • STOP CONNECTING TO THE HOTEL WI-FI!

We need to pause simply so I can state how those last two drive me nuts. Do you know how easy it is for me to go someplace, create a malicious hot-spot service – then name it something like “Airport Wi-Fi” (or wherever I am), and watch everybody connect to it? You have just provided me the best access point possible, aside from physically handing me your computer.

Stop it.

Rolling along…

  • Encrypt data on external storage devices (thumb drives, SD cards of your mobile devices, etc. – any device where you might keep sensitive information). Encryption software is cheap, and usually free. Your “phone” (if you want to call it that) should have this feature built into the OS, to encrypt all data on the internal and external storage devices (user data partition of the device, and micro SD card if you are using one). Use encryption to protect your information whenever possible
  • Cover keypads with your free hand whenever you use them to complete transactions (at the bank, the store, the gas station, etc.)
  • Do not show people your driver’s license unless it is truly needed by an authority needing to see it (LEO, or maybe the bartender)
  • Don't tell people exactly where you live either. Your credit card is verified at a gas station by your zip code. A quick Google search after I've just snapped a picture of your card on the bar-top and I've got your card to pay for gas
  • When paying for drinks at the bar-top use cash, if possible. If you don’t have cash on you, do not leave your card sitting out in plain sight. Instead, fold the receipt neatly around it, covering the 16-digit number and other information on the front, and the CVV (Card Verification Value) number on the back. Furthermore, you should NEVER be required to provide your PIN if your CVV number is requested for a transaction, and vice-versa. And no website ever, unless they’re up to something nefarious, will require you to enter your PIN
  • Keep passports, SSN cards, and all documents you deem to have sensitive information, locked in a safe. Stealing this information during a robbery of one’s home is worth more than jewelry when it is sold on the dark corners of the internet
  • Do not set up security questions for accounts if the answers to those questions could be obtained by scrolling through your social-media profiles, or is stored digitally at all. Try this instead – think of your own unique question(s), and answer security questions of the account as if they were your question
  • Do not engage in small talk about your personal life at airports, bars, or public places in general. “Loose lips sink ships”. It is too easy to get people to talk. Don’t do it
  • Do not look like a desirable target for fraudsters and thieves. Jewelry, electronics, your clothes, etc., are all dead giveaways when sizing up how much money could be in that checking account of yours, or how big that line of credit is on your Chase card. Don’t give criminals information to act on, and they won’t

Making small changes in your behavior is always the best way to deter the preying criminal. Keep your head up, look around occasionally (rather than at some electronic device), and you might avoid becoming a target.

All of us are living in the most peculiar of times. Consider what handheld electronics were capable of 10 years ago, what they are capable of now, and try to imagine them 10 years from now.

Your specific role on the front lines of this war is to be action-oriented, proactively engaging yourself in securing your information. Because if you don’t, who will – the companies currently selling it?

I wouldn’t count on it.

 

- AVR Defense, signing off