What do you have that’s of value?
“There’s nothing in my bank account… hackers are welcome to my credit card number”
“The GDPR is such rubbish. I really don’t care if people know my name and email address”
“Does it really matter if someone tries to hack into my kettle?”
All of these are things we’ve heard in the past few months on cyber-security or data protection courses. They are, of course, expressions of frustration at a world that’s gone mad. Red tape everywhere, hackers trying to target Mr or Mrs Nobody who hasn’t got anything anyway, and a world where Internet-connected devices are fast becoming the norm – regardless of the benefit they may (or, more likely in many cases, may not) bring to the consumer.
I get it.
I share that frustration.
But that doesn’t mean that it’s right to feel that way, or that you should in some way give up the battle for security and privacy.
So, your bank account is empty, you work for a tiny company and you only bought a smart TV because that was all the store seemed to have these days? You still have a huge amount that is of value to a potential hacker.
Let’s assume, for a moment, that you have a bank account, a credit card and a store card.
And let’s assume that the worst has happened, and you’ve accidentally clicked a link in a phishing email, been fooled by the landing page, and now the hacker has your bank account login details. Of course, almost all banks have some form of two-factor authentication turned on by default these days, but that’s not an absolute guarantee that your account can’t be hacked.
So, what next?
You say you have no money. Perhaps you’re overdrawn – £200 into your £750 overdraft limit. Well, that’s £550 that the hacker can take right away. Probably not as cash, but they may well use your details to buy something online that they can later collect in store and then sell for cash, which is harder to trace.
But the real value of your bank account may even not be in its money, strangely enough. If you spot that you have been the victim of bank fraud, and that money has gone missing, as long as you tell the bank quickly, the chances are good that they’ll cover the losses, as long as you haven’t been negligent. In particular, the guidelines to banks regarding some forms of fraud known as “Authorised push payment fraud” were tightened up in January 2019 when it became clear following an investigation by Which that this was an increasingly common form of fraud. (NOTE: See update below – it seems that too many banks still aren’t taking heed of this new code of practice…)
But, if I can log into your account and impersonate you, then that really helps me build an identity – your identity. I can start to use your identity to open other accounts in your name, for phones, store cards or other services, all of which will help me to use your identity for my own purposes.
If I can start to build a whole identity around your bank account then that can be used for “proving” that I am you, and used in all sorts of real-world transactions, from benefit claims to renting property to buying vehicles. And all of these activities will have an impact on you, your credit rating and your life. What if that car that I bought in your name (perhaps by now with a drivers license that has my photo but your name) is involved in an accident? What if I commit crimes “as you”?
Don’t get me wrong – it’s not exactly easy. You can’t just wander into the bank and pretend to be your own neighbour, boss or . Banks have complex and hardened systems in place to detect fraud, including potential identity theft. But it still happens every day, because the rewards are worth it for the criminals, and they’re experts at it. Just search online for “identity theft stories” to see how often it happens – and how bad it can be.
About your company
Of course, if it’s about the money, then companies often have lots. Apple has a trillion dollars to start with, and Microsoft another trillion or so. Google and Facebook, to name two more, are not short of cash either.
But you don’t work for them. You work for, let’s say, a small, 5 person company, running corporate parties and events for your clients. A round of golf for that local insurance broker, a box at the Royal Opera House for your client in HR at British Gas, and the summer party for that fast-growing aerospace company a few towns over.
Here’s a question: who has better cyber-security – you and your team, or British Gas? You, or that aerospace client?
With the best will in the world, they have resources that you can barely dream of. You do everything you can – multi-factor authentication, password management software for all staff, remote-wipe software installed on all your office mobiles. But they have a team – a team! – of security professionals, whose sole job it is to keep the bad guys out.
So if I am one of those bad guys, and I’m determined to make some money out of British Gas, where’s the weak link in the chain? Is it them, or you? You’ve got names, job titles, phone numbers and email addresses of the HR diredctor. You’ve got her details stored in your CRM system, you’ve got their bank details from when you invoice them and they pay you. You’re connected on LinkedIn, and have meetings in your diary with her.
In other words you are a treasure-trove of information that would be invaluable to a social engineer. Information that would probably be much harder to glean from this mythical head of HR directly. And all I’ve got to do is get you to open a document, click a link, or just visit my website in order to gain access to your computer. And then British Gas watch out. And that Aerospace company. And that Insurance Broker.
In other words, even if you don’t have cash, even if you’re not big, you have clients who do and clients who are. You’re a gateway to much bigger targets, and a gateway that may be the easiest way in to them.
That makes you a really tempting target.
But surely no one cares about my kettle?!
Well, it’s probably true that groups linked to the Russian or North Korean governments are not plotting how to make the perfect cup of tea using your kitchen equipment.
But there are risks, and they may be greater than you’d imagine.
The biggest problem with smart devices (everything from TVs to fridges, doorbells to baby monitors, light-bulbs to yes, kettles) is that people don’t think of them as computers. They sit there, with a processor, memory, an operating system and an internet connection – but we never think of them that way. So, we don’t think about how they log in to our network. How they get software and security updates and patches. Whether they have default admin credentials that are shared with however many million similar devices may exist all over the world.
Imagine you had a computer logged in permanently to your network with all those security flaws… Actually don’t – you might not sleep tonight.
The most common use of these devices for nefarious purposes is to corral them into a “bot net” – a network of devices which can be remotely controlled. As part of this bot net, these smart devices can be used for DDOS (distributed denial of service) attacks on other networks.
For those of you not familiar with the idea of a DDOS attack, imagine your company website. It sits there, waiting to serve information to your customers, and perhaps to sell things to them. It takes visitors a bit like your company’s switchboard takes phone calls. And just as your switchboard may have a limit of, say 4 incoming calls at a time, so your website has a limit on the number of pages it can send out or requests it can respond to at a time. Perhaps that limit is 1000. Perhaps it’s as high as 50,000. But what if the millions of smart devices like your kettle all around the world suddenly start trying to connect to your site simultaneously? It would be like having hundreds of those annoying automated phone calls all trying to call your switchboard at the same time.
It would be annoying to your switchboard.
But it would also stop those genuine customers who really do need to call you – or, in this case, visit your website – from getting through. And if they can’t get through for long enough, they’ll give up and go elsewhere.
So there we have it. Your kettle could be being used as part of an international plot to knock the Washington Post offline. Or some other site.
You could possibly still get away with the attitude of “so what” about this. As long as your kettle still makes your tea, do you really care? Possibly not. But wind up a second.
The reason your kettle / fridge / TV can get onto the internet to be “smart” is that it can connect to your router. If it can connect to your router, and still has all its default security settings, passwords and, yes, security flaws in place, then that’s one big hole in your own home network. If a hacker can connect to your TV, they can connect (they have already connected) to your network.
What else is on that network? Your PC. Your laptop. Your phone. Those devices that you use for watching cat videos, chatting with friends on Facebook, maybe catching up with the odd work email and doing your internet banking. And now, you’re doing all that while some random, malicious third-party sits on your network watching.
Do you care about that?
Perhaps you do your internet banking using all these devices, but in any case, you have nothing in your bank account, so you really don’t care…
In which case, might I suggest that you return to the top and start reading again?
Barely 24 hours after I wrote this post, there was a story in The Guardian about a couple of retirees from near Cambridge who lost over £40,000 to a scam. Despite it being clear that this was a highly professional operation, and despite the involvement of the police in a stakeout operation to catch the scammers, the bank refused to refund the lost money.
This appears to be in direct contravention of a newly-agreed code of conduct, according to which banks would need to find that the account holders had been grossly negligent. It also appears, however, to be far from a one-off.