How hackers are playing the long game with consumers after data breaches
5 October 2016 |
The Yahoo breach of 500 million accounts has brought hacking under the spotlight again. It was the largest known breach at a single company, with hackers stealing names, email addresses, telephone numbers, dates of birth and encrypted passwords.
Although the breach did not include payment card and bank account data, the information the culprits did steal is commonly used in social engineering attacks, where hackers build up a profile of a user in a bid to gain access to their financial details.
“Over the last 18 months or so attacks have been entirely prevalent around getting more access,” Charles Read, regional director of UK, Ireland and Benelux at OneLogin, told Business Reporter when we talked to him about social engineering and current trends in cyber-crime.
“They want access to your account, particularly your email, because in that there is probably a whole plethora of other information that they would like to have, such as password reset
links from an account you have forgotten your password to.
“We see breaches that lead from phishing attacks. Criminals sit on these credentials for a long time and then a year later or a year and a half later they start feeding out. Nothing happens after a breach so people forget about it.
“Hackers use the information years later to go after some more data, then use it to get more data still, and build it up until they have enough data from a criminal perspective to do something meaningful with.
“This can open up huge problems for companies – phishing attacks that are driven from stolen credentials. It is quite a broad subject but this is very much the theme everywhere at the moment.”
The main information hackers are after besides usernames and passwords, says Read, is dates of birth and addresses, because this allows them to take the attack to a different level.
He says: “Hackers could then spoof a person’s identity, which might give them access to financial information.”
“The current trend for when hackers do gain access is to take discreet amounts of money instead of the big cash, as it is less likely to raise suspicion.
“We have seen a couple of cases recently where they just take a penny off each person’s account or two pennies here and there,” he says. “The idea being, if you have 10 million users and you take a penny from every user, that is quite a bit of money.”
Read says that, for example, if a hacker can build up information on someone that they are a prolific online shopper, that person might not notice if there are 10 transactions instead of nine on a bank statement. They are considered easy prey by hackers, as some shopping websites do not have the same level of security as a bank.
According to Read, the best way to reduce the risk of cyber-attacks is two-factor authentication, and designing a system whereby if a criminal gets into one part of it, it does not mean they can get into other parts.
“People laugh at [the Cold War submarine film] The Hunt For Red October thing, where it needs four people with keys to gain entry at the same time. But IT systems are built the same way – you have to have a lot of different people in the company all working in collaboration to engineer something bad.
“It is the same from the external hacking perspective. Hackers would have to get into a whole bunch of different parts of the system to actually get to the point where they could use that data in any meaningful way.
“Once hackers are inside the environment they can get information out very easily, but generally the information which gets exposed in a lot more recent hacking attacks has been personal information that could be then used to leverage other forms of attack.”
Cyber-criminals are certainly getting more sophisticated in their attacks, and the Yahoo breach – among others – has highlighted how vulnerable companies and consumers can be. So it is important that in the face of social engineering, companies and consumers have a plan in place to protect against this.