Friday 5 February 2016

Understanding The Global Proliferation In Cyberattacks, Cybercrime And Data Breaches

What is a cyber-attack, e-crime?

A cyber-attack is a deliberate and malicious attempt by an individual(s), organization(s) or nation states to remotely/anonymously take control, steal or alter information in a computer system/website, computer network(s), and/or an internet connected device.
On the other hand, an e-crime (electronic crime), also known as cybercrime, denotes a criminal or fraudulent activity with a computer or other internet-enabled electronic devices. According to South Africa’s, ‘’cybercrime costs the global economy $445 billion a year and that if cybercrime were to be a nation, it would have been the 27th biggest economy in the world in terms of GDP’’.

Cyber-attacks, e-crime Bask on Technology, Internet-enabled Devices

The world is changing at a rapid pace and the advent, proliferation of computers and cheap internet-enabled mobile devices and technological advancements such as: Big Data or Data Mining, Network Based End Point Security, Cloud computing/storage, wearable technology, Bring Your Own Device (BYOD), Internet of Things (IoT), e-commerce, e-government services, online games, cashless economic policy buoyed by a preference for payments with Credit/Debit Cards, mobile phone and internet banking certainly have cybersecurity ramifications and has triggered a spike in multifaceted electronic fraud and cyber-attacks. Evidence points to the fact that there may be no limit to the (mis)application of technology: these days CCTV Cameras or webcams and car brakes can be hacked from a remote location. Cybercriminals can maneuver Automatic Teller Machines to dispense cash at pre-determined time and locations. The Radio Frequency Identification Technology (RFID) in a credit card reader is aiding electronic pick-pocketers (hands-free-pickpocketing). A challenge with investigating and curbing cybercrimes is that cyber criminals are technology-savvy; know the loopholes and they can ensconce themselves across international borders hence basking on what an expert called a 'virtual impunity'.

Cyber-attacks, hacking, a global problem

The year 2015 is widely cited as the year of monumental data breaches and 2016 will not be different. In November 2015, Mr. Tomi Oladipo, BBC Africa Security Correspondent penned a report where cybersecurity experts warned that cybercrime is Africa's 'next big threat'. The threat is not just unique to Africa, nay Nigeria but a global menace. In what was dubbed the ‘’the great bank robbery’’, Kaspersky Lab reported that in a massive cyber-robbery heist spread over two years, Carbanak multinational cyber gang stole about $1 billion from 100 financial institutions worldwide (in around 30 countries).

A Worrying Phenomenon, Dimension

A worrying trend these days is that state and non-state actors (Hacktivists, cyber extortionists and cyber-criminals) are leaning towards unprecedented DDoS cyber-attacks, cyber-warfare (STUXNET malware, BlackEnergy), cyber-espionage (PRISM Surveillance program) or cyber-terrorism. The United States, China, Russia, Iran, North Korea amongst others, point accusing fingers on one another for cyber-attacks. Recall that in 2010, bent on stopping Iran from becoming a nuclear power State, the United States and Israel allegedly deployed ‘’Stuxnet’’, a computer virus to destroy centrifuges in an Iranian nuclear facility. Non-state actors such as the Syrian Electronic Army, CyberCaliphate, Anonymous Hackers amongst others are often in the news for cyber-attack, hacking. Sequel to recent political wrangling between Turkey and Russia over the downing of a Russian Jet by the former, Turkish hacktivists reportedly mounted a powerful DDoS attack against the website of the Russian Central Bank, taking it offline for about 10 minutes. A bank in Sharjah, United Arab Emirates was breached by a cyber-criminal who exfiltrated sensitive data belonging to the bank's clients. A group of hackers that go by the moniker – ‘’Armada Collective” hit three Greek banks with DDoS attacks, disrupting the banks online banking platform for a few hours and demanded ransom in Bitcoins in order to stop further attacks.

Litany of Cyber-attacks, e-crime

The way it is going, it appears a company/organization is of no consequence if it has not been hacked. The following incidents lend credence to the global proliferation of cyber-attacks, e-crime. The United States office of Personnel Management suffered a cyber-attack leading to the theft of personal information of nearly 18 million current and former government employees. The European Central Bank and some Norwegian banks, companies were hit by cyber-attacks sometime in 2015. In a suspected case of state-sponsored hacking or cyber-espionage, hackers accessed the schedule of President Obama's whereabouts in the White House. The website of the United States State Department was allegedly breached by Russian hackers and had to subsequently shut down to remove malware. Sometime in January 2015, Twitter and YouTube accounts of United States military command officials who oversee operations in the Middle East were hacked. Sony Pictures was hacked last year in response to the release of a movie - "The Interview". Few months ago, Canada-based Ashley Madison website, popular as an online married dating portal for extramarital affairs was purportedly hacked by ‘The Impact Team’. Sometime in 2015, the British National Crime Agency estimates that cyber-criminals sneaked about £20million sequel to a cyber-attack with a very sneaky and virulent malware known as Dridex which infected and gained access to thousands of computers used for internet banking in the United Kingdom. The Dridex Trojan infected computers through a malicious Microsoft Office document, characteristically camouflaged as an invoice emailed to victims. The malware tricks people into installing it on their internet-enabled electronic devices and snoops on their bank account details which it sends back to the cyber-criminals. The Royal Bank of Scotland (RBS) revealed that between January and September 2015, almost 5,000 customers fell victim to scams – at a cost of more than £25m. In November 2015, United States officials confirmed that banks (J.P. Morgan is one of them) and other financial institutions in the U.S suffered one of its biggest-ever data breaches when hackers hit bank accounts of about 100 million people and that the "hundreds of millions of dollars in illicit proceeds" was subsequently ‘’laundered through at least 75 shell companies and bank accounts around the world’’. In December 2015, the websites of the Lagos State government and Nigeria’s court of Appeal were reportedly hacked by so-called ‘’Islamic Activists’’.

Modus Operandi of Cyber-criminals

Cyber-criminals employ motley schemes to perpetrate their trade. A threat group known as FIN1 which specializes in stealing payment card data from financial services organizations was said to have added a bootkit with a comprehensive backdoor utility to their malware toolkit. This novel malware kit ensures the persistence of their malware in the target organizations' systems even after reinstalling an Operating System. Generally speaking, the stock-in-trade of cybercriminals includes but not limited to: masterminding a distributed denial of service attacks (DDoS), deploying a ransomware (a type of malicious software designed to restrict access to a computer or an electronic device until a sum of money is paid to the perpetrators), social engineering, spamming, phishing scams (luring an internet user to reveal personal details such as passwords and credit card information) on a fake web page or send an email purporting to emanate from a legitimate company (like their bank), electronic funds transfer fraud, cloning ATM Cards or social media profiles of prominent persons, identity theft, hacking a Point of Sale (PoS) Machine or popular online shopping or bank websites, sending scam emails or malicious links offering to sell latest gadgets - Smartphones, PlayStation, Xbox, laptops amongst others at ridiculously low prices.

Booming Online Shopping, Internet Banking in Nigeria portends a spike in cyber-attacks, e-crime

Not to be outdone, it is now a trend especially amongst young, busy and upwardly mobile Nigerians to shop online, make payments and wire funds via internet banking.
Given the aforementioned trend, Nigerians must brace up for cyber-attacks. High-time folks upped their game, became cyber-safety savvy to forestall falling victim to the whims and caprices of cyber-criminals.  Notwithstanding the preachments of Nigerian financial institutions and online shops on how safe their platforms are, the truth remains that establishments in this clime have a lot of catching up to do with regards to their capacity to preemptively forestall cybercrimes. If you are abreast with events, goings-on, shortcomings or vulnerabilities inherent in online transactions as this writer is, you will be wary of keying your debit/credit card details into online shopping websites.  A best bet is to use a prepaid debit card that is not connected to one’s bank account for online transactions. It will interest you to know that a new study in the United Kingdom says many Brits don’t trust online banking. Even a foremost British professor of security engineering at the University of Cambridge – Prof. Ross Anderson refuses to bank online and says he has no plans to do so. Another cybersecurity expert – Mr. Richard Emery is equally critical of internet banking platforms but says he is reluctant to give up internet banking as he has come to rely on it. PCWorld reports that, ‘’Researchers from Berlin-based Security Research Labs (SRLabs) investigated the security of payment terminals in Germany and were able to use them to steal payment card details and PIN numbers, hijack transactions and compromise merchant accounts’’.

The Impact of Cyber-attacks, e-Fraud on Nigeria

If the aforementioned Western institutions that are supposedly abreast of global best practices were hacked, your guess is as good as mine regarding how cyber-safety compliant many Nigerian institutions are. A while ago, the deputy governor, Financial Systems Stability, Central bank of Nigeria, Mr. Adebayo Adelabu opined that 2.4 percent of banking revenue in Nigeria was lost to fraud cases. According to Adelabu, Nigerian banks lost a total of N159 billion through electronic fraud and identity theft between 2000 and the first quarter of 2013. About 2,175 websites in Nigeria (585 are government-owned) were said to have been hacked or defaced within the same period. Popular Nigerian online forum Nairaland was hacked in 2014 and private information of its users stolen. The Nigerian Deposit Insurance Corporation (NDIC) asserts that, in the year ended December 31, 2014, Nigerian banks reported 10,612 fraud cases, as against 3,786 in the corresponding period of 2013, “representing an increase of a whopping 182.77 per cent.” The NDIC report cited that the rise in “expected/actual loss in fraud and forgeries was mainly due to the astronomical increase in the incidence of web-based (online banking)/ATM and fraudulent transfer/withdrawal of deposit frauds.” Recall that a Nigerian Bank IT staff was declared wanted for masterminding a $40million cyber-theft from his bank. Lately a staff of the Economic and Financial Crimes Commission (EFCC), one Mr. Ibrahim Shazali raised an alarm that ‘’all Nigerian banks are highly exposed to electronic attacks and lacks the necessary legal protection to deter and prosecute offenders’’. To masterminds of cybercrime in Nigeria, desist from your ignoble craft; bear in mind that the Nigerian cybercrime bill prescribes a death sentence for culprits.

Urgency of a Data Protection Law in Nigeria

To him much is given, much is expected of him. There seem to be some kind of competition by different agencies of government in Nigeria to amass personal information (fingerprints, dates of birth, addresses, phone numbers, and passport photographs) of Nigerians. No doubt this is well-intentioned but problem is, it appears we are putting the cart before the horse. Nigeria is currently bereft of an avant-garde Data Protection Law which is what obtains in most advanced climes. We understand that the NIMC (National Identity Management Commission) is bent to collate, integrate or synchronize the various data domiciled with the Federal Road Safety Commission (FRSC), the Independent National Electoral Commission’s Permanent Voter Card (PVC) registration, National Population Commission (NPC), SIM card registration data, Bank Verification Numbers (BVN), national e-ID Card into a single national database. At the risk of been dubbed a prophet of doom, this writer re-iterates, foretells dire national security consequences if the process involved in amalgamating the humongous private data of Nigerians is bungled and if the data is not well safeguarded, lacks very stringent cybersecurity measures (checks and balances). Recall how the private information of some staff of Nigeria’s Department of State Security (SSS) was leaked online some time ago. Not long ago, the personal data of about 20 million South Koreans -- or 40% of the country's population was stolen ostensibly by cybercriminals. Lately, the personal information of more than 12 million Dutch mobile phone owners was said to be easily accessible to hackers.

From the foregoing, it is evident that there is a global, geometric rise in sophisticated cyber-attacks, cybercrime by state and non-state actors. Interestingly, it appears cybercriminals are somewhat one-step ahead in the game; just when the experts are cocksure of their defensive strategies, the criminals manage to find a vulnerability or backdoor. However, all hope is not lost, if you want to know some cybersecurity tips to help you stay ahead of the game, read up my article: 25 Cybersecurity, Online Best Practices, Tips.

February, 2016
© Don Okereke
Follow Don on Twitter: @DonOkereke
Don Okereke is a passionate, innovative, Information Technology, Social Media-Savvy and proven Security Adviser/Consultant, Entrepreneur, Researcher, Writer, and Change agent with over 17 years combined Military (Air Force), Private/Industrial Security, entrepreneurial, management skills/experience distilled from Nigeria and the United kingdom. Don loves entrepreneurship and is the Founder/CEO of Forenovate Technologies Limited (RC 755695). Inter alia, Don completed postgraduate modules in Forensic Engineering & Science from Cranfield University (Defense Academy), Shrivenham, United Kingdom, a first degree in Industrial Chemistry, a Professional Certificate/training in Communication and Conflict Management from the United Kingdom National Open College Network, a Certificate in Security Practice & Safety Management and a Certificate of Accomplishment in Terrorism & Counter-terrorism: Comparing Theory & Practice from Leiden University (MOOC), Netherlands. His interest and expertise span Security/Safety/ICT/Cultural Awareness Training, Threat/Travel Advisory, Risk Assessments & mitigation, Security survey/mapping, Loss/Fraud Prevention, Due Diligence and Investigations,  Executive/Asset Protection, Business Continuity & Emergency Planning, Background Screening/Vetting,  Competitive Intelligence, Research and Open-Source Intelligence (OSINT) Information Retrieval, Countering Violent Extremism Advocacy and Public Speaking, amongst others. Don has featured on conferences/seminars as a Guest Speaker and he is routinely consulted by foreign, local, print/electronic organizations for his expert opinion on issues impinging national, personal security and geopolitics. His passion, knack for writing has seen his articles published on major Nigerian newspapers such The Guardian, The Nation, NewsWatch, Tell Magazine and various reputable local and foreign social media/online platforms. Don’s loves humanity; disappointed with the rampaging insecurity, terrorism and insurgency in Nigeria, he took it upon himself to champion an Advocacy Cause against vestiges of insecurity under the aegis of ‘’Nigerians Unite Against Insecurity and Terrorism’’ and ‘’Say No To Terrorism and Insurgency’’.

No comments: