What is a cyber-attack, e-crime?
A cyber-attack is a deliberate and malicious attempt by an
individual(s), organization(s) or nation states to remotely/anonymously take
control, steal or alter information in a computer system/website, computer network(s),
and/or an internet connected device.
On the other hand, an e-crime (electronic crime), also known as cybercrime,
denotes a criminal or fraudulent activity with a computer or other internet-enabled
electronic devices. According to South Africa’s news24.com, ‘’cybercrime costs the global economy $445 billion a year and that
if cybercrime were to be a nation, it would have been the 27th biggest economy
in the world in terms of GDP’’.
Cyber-attacks, e-crime
Bask on Technology, Internet-enabled Devices
The world is changing at a rapid pace and the advent, proliferation
of computers and cheap internet-enabled mobile devices and technological
advancements such as: Big Data or Data Mining, Network Based End Point Security,
Cloud computing/storage, wearable technology, Bring Your Own Device (BYOD), Internet of Things (IoT),
e-commerce, e-government services, online games, cashless economic policy
buoyed by a preference for payments with Credit/Debit Cards, mobile phone and
internet banking certainly have cybersecurity ramifications and has triggered a
spike in multifaceted electronic fraud and cyber-attacks. Evidence points to
the fact that there may be no limit to the (mis)application of technology:
these days CCTV Cameras or webcams and car
brakes can be hacked from a remote location. Cybercriminals
can maneuver Automatic Teller Machines to dispense cash at pre-determined time
and locations. The Radio Frequency Identification Technology (RFID) in a credit
card reader is aiding electronic pick-pocketers (hands-free-pickpocketing). A
challenge with investigating and curbing cybercrimes is that cyber criminals
are technology-savvy; know the loopholes and they can ensconce themselves
across international borders hence basking on what an expert called a 'virtual
impunity'.
Cyber-attacks, hacking, a
global problem
The year 2015 is widely cited as the year of monumental data
breaches and 2016 will not be different.
In November 2015, Mr. Tomi Oladipo, BBC Africa Security Correspondent
penned a report where cybersecurity experts warned that cybercrime is Africa's
'next big threat'. The threat is not just unique to Africa, nay Nigeria but a
global menace. In what was dubbed the ‘’the great bank robbery’’, Kaspersky Lab
reported that in a massive cyber-robbery heist spread over two years, Carbanak
multinational cyber gang stole about $1 billion from 100 financial institutions
worldwide (in around 30 countries).
A Worrying Phenomenon,
Dimension
A worrying trend these days is that state and non-state actors (Hacktivists,
cyber extortionists and cyber-criminals) are leaning towards unprecedented
DDoS cyber-attacks, cyber-warfare (STUXNET malware, BlackEnergy), cyber-espionage
(PRISM Surveillance program) or cyber-terrorism. The United States, China,
Russia, Iran, North Korea amongst others, point accusing fingers on one another
for cyber-attacks. Recall that in 2010, bent on stopping Iran from becoming a
nuclear power State, the United States and Israel allegedly deployed
‘’Stuxnet’’, a computer virus to destroy centrifuges in an Iranian nuclear
facility. Non-state actors such as the Syrian Electronic Army, CyberCaliphate,
Anonymous Hackers amongst others are often in the news for cyber-attack,
hacking. Sequel to recent political wrangling between Turkey and Russia over
the downing of a Russian Jet by the former, Turkish hacktivists reportedly mounted a
powerful DDoS attack against the website of the Russian Central Bank, taking it
offline for about 10 minutes. A bank in Sharjah, United Arab Emirates was
breached by a cyber-criminal who exfiltrated sensitive data belonging to the
bank's clients. A group of hackers that go by the moniker – ‘’Armada
Collective” hit three Greek banks with DDoS attacks, disrupting the banks
online banking platform for a few hours and demanded ransom in Bitcoins in
order to stop further attacks.
Litany of Cyber-attacks,
e-crime
The way it is going, it
appears a company/organization is of no consequence if it has not been hacked. The following incidents lend credence to the global proliferation
of cyber-attacks, e-crime. The United States office of Personnel Management
suffered a cyber-attack leading to the theft of personal information of nearly
18 million current and former government employees. The European Central Bank
and some Norwegian banks, companies were hit by cyber-attacks sometime in 2015. In a suspected case of state-sponsored hacking
or cyber-espionage, hackers accessed the schedule of President Obama's whereabouts in the White House. The website
of the United States State Department was allegedly breached by Russian
hackers and had to subsequently shut down to
remove malware. Sometime in January 2015, Twitter and YouTube accounts of
United States military command officials who oversee operations in the Middle
East were hacked. Sony Pictures was hacked last year in response to the release
of a movie - "The Interview". Few months ago, Canada-based Ashley
Madison website, popular as an online married dating portal for extramarital
affairs was purportedly hacked by ‘The Impact Team’. Sometime in 2015, the
British National Crime Agency estimates that cyber-criminals sneaked about £20million
sequel to a cyber-attack with a very sneaky and virulent malware known as Dridex
which infected and gained access to thousands of computers used for internet
banking in the United
Kingdom. The Dridex Trojan infected computers
through a malicious Microsoft Office document, characteristically camouflaged
as an invoice emailed to victims. The malware tricks people into installing it
on their internet-enabled electronic devices and snoops on their bank account
details which it sends back to the cyber-criminals. The Royal Bank of Scotland
(RBS) revealed that between January and September 2015, almost 5,000 customers
fell victim to scams – at a cost of more than £25m. In November 2015, United
States officials confirmed that banks (J.P. Morgan is one of them) and other
financial institutions in the U.S suffered one of its biggest-ever
data breaches when hackers hit bank accounts
of about 100 million people and that the "hundreds of millions of dollars
in illicit proceeds" was subsequently ‘’laundered through at least 75
shell companies and bank accounts around the world’’. In December 2015, the websites of the Lagos State government and
Nigeria’s court of Appeal were reportedly hacked by so-called ‘’Islamic
Activists’’.
Modus Operandi of
Cyber-criminals
Cyber-criminals employ motley schemes to perpetrate their trade. A
threat group known as FIN1 which specializes in stealing payment card data from financial
services organizations was said to have added a bootkit with a comprehensive
backdoor utility to their malware toolkit. This novel malware kit ensures the
persistence of their malware in the target organizations' systems even after
reinstalling an Operating System. Generally speaking, the stock-in-trade of
cybercriminals includes but not limited to: masterminding a distributed denial
of service attacks (DDoS), deploying a ransomware (a type of malicious software
designed to restrict access to a computer or an electronic device until a sum
of money is paid to the perpetrators), social engineering, spamming, phishing
scams (luring an internet user to reveal personal details such as passwords and
credit card information) on a fake web page or send an email purporting to
emanate from a legitimate company (like their bank), electronic funds transfer
fraud, cloning ATM Cards or social media profiles of prominent persons, identity
theft, hacking a Point of Sale (PoS) Machine or popular online shopping or bank
websites, sending scam emails or malicious links offering to sell latest
gadgets - Smartphones, PlayStation, Xbox, laptops amongst others at
ridiculously low prices.
Booming Online Shopping,
Internet Banking in Nigeria portends a spike in cyber-attacks, e-crime
Not to be outdone, it is now a trend especially amongst young,
busy and upwardly mobile Nigerians to shop online, make payments and wire funds
via internet banking.
Given the aforementioned trend, Nigerians must brace up for cyber-attacks. High-time folks upped
their game, became cyber-safety savvy to forestall falling victim to the whims
and caprices of cyber-criminals. Notwithstanding
the preachments of Nigerian financial institutions and online shops on how safe
their platforms are, the truth remains that establishments in this clime have a
lot of catching up to do with regards to their capacity to preemptively
forestall cybercrimes. If you are abreast with events, goings-on, shortcomings
or vulnerabilities inherent in online transactions as this writer is, you will
be wary of keying your debit/credit card details into online shopping websites. A best bet is to use a prepaid debit card
that is not connected to one’s bank account for online transactions. It will
interest you to know that a new study in the United Kingdom says many Brits don’t trust online banking.
Even a foremost British professor of security engineering at the University of
Cambridge – Prof.
Ross Anderson refuses to bank online and
says he has no plans to do so. Another cybersecurity expert – Mr. Richard Emery
is equally critical of internet banking platforms but says he
is reluctant to give up internet banking as he has
come to rely on it. PCWorld reports
that, ‘’Researchers from Berlin-based Security Research Labs (SRLabs) investigated the security
of payment terminals in Germany and were able to use them to
steal payment card details and PIN numbers, hijack transactions and compromise
merchant accounts’’.
The Impact of Cyber-attacks,
e-Fraud on Nigeria
If the aforementioned Western institutions that are supposedly abreast
of global best practices were hacked, your guess is as good as mine regarding
how cyber-safety compliant many Nigerian institutions are. A while ago, the
deputy governor, Financial Systems Stability, Central bank of Nigeria, Mr.
Adebayo Adelabu opined that 2.4 percent of banking revenue in Nigeria was lost
to fraud cases. According to Adelabu, Nigerian banks lost a total of N159 billion through electronic
fraud and identity theft between 2000 and the
first quarter of 2013. About 2,175 websites in Nigeria (585 are
government-owned) were said to have been hacked or defaced within the same period. Popular Nigerian online forum Nairaland was hacked in 2014 and private information of its users stolen. The
Nigerian Deposit Insurance Corporation (NDIC) asserts that, in the year ended
December 31, 2014, Nigerian banks reported 10,612 fraud cases, as against 3,786
in the corresponding period of 2013, “representing an increase of a whopping 182.77
per cent.” The NDIC report cited that the rise in “expected/actual loss in fraud and
forgeries was mainly due to the astronomical increase in the incidence of
web-based (online banking)/ATM and fraudulent transfer/withdrawal of deposit
frauds.” Recall that a Nigerian Bank IT staff was declared wanted for masterminding a $40million cyber-theft from his bank. Lately
a staff of the Economic and Financial Crimes Commission (EFCC), one Mr. Ibrahim
Shazali raised an alarm that ‘’all Nigerian banks are highly exposed to
electronic attacks and lacks the necessary legal protection to deter and
prosecute offenders’’. To masterminds
of cybercrime in Nigeria, desist from your ignoble craft; bear in mind that the
Nigerian cybercrime bill prescribes a death sentence for culprits.
Urgency of a Data Protection
Law in Nigeria
To him much is given, much is expected of him. There seem to be
some kind of competition by different agencies of government in Nigeria to
amass personal information (fingerprints, dates of birth, addresses, phone
numbers, and passport photographs) of Nigerians. No doubt this is
well-intentioned but problem is, it appears we are putting the cart before the
horse. Nigeria is currently bereft of an avant-garde Data Protection Law which
is what obtains in most advanced climes. We understand that the NIMC (National
Identity Management Commission) is bent to collate, integrate or synchronize the
various data domiciled with the Federal Road Safety Commission (FRSC), the Independent
National Electoral Commission’s Permanent Voter Card (PVC) registration,
National Population Commission (NPC), SIM card registration data, Bank
Verification Numbers (BVN), national e-ID Card into a single national database.
At the risk of been dubbed a prophet of doom, this writer re-iterates,
foretells dire national security consequences if the process involved in amalgamating
the humongous private data of Nigerians is bungled and if the data is not well
safeguarded, lacks very stringent cybersecurity measures (checks and balances).
Recall how the private information of some staff of Nigeria’s Department of
State Security (SSS) was leaked online some time ago. Not long ago, the personal data of about 20
million South Koreans -- or 40% of the country's
population was stolen ostensibly by cybercriminals. Lately, the personal information
of more than 12 million Dutch mobile phone owners was said to be easily
accessible to hackers.
Conclusion
From the foregoing, it is evident that there is a global, geometric
rise in sophisticated cyber-attacks, cybercrime by state and non-state actors. Interestingly,
it appears cybercriminals are somewhat one-step ahead in the game; just when
the experts are cocksure of their defensive strategies, the criminals manage to
find a vulnerability or backdoor. However, all hope is not lost, if you want to
know some cybersecurity tips to help you stay ahead of the game, read up my
article: 25 Cybersecurity, Online Best Practices, Tips.
February,
2016
© Don Okereke
Follow Don on
Twitter: @DonOkereke
*****************************************************************************************
Bio:
Don Okereke is a passionate, innovative, Information Technology, Social
Media-Savvy and proven Security Adviser/Consultant, Entrepreneur, Researcher, Writer,
and Change agent with over 17 years combined Military (Air Force),
Private/Industrial Security, entrepreneurial, management skills/experience
distilled from Nigeria and the United kingdom. Don loves entrepreneurship and
is the Founder/CEO of Forenovate Technologies Limited (RC 755695). Inter alia, Don completed
postgraduate modules in Forensic Engineering & Science from Cranfield
University (Defense Academy), Shrivenham, United Kingdom, a first degree in
Industrial Chemistry, a Professional Certificate/training in Communication and
Conflict Management from the United Kingdom National Open College Network, a
Certificate in Security Practice & Safety Management and a Certificate of
Accomplishment in Terrorism & Counter-terrorism: Comparing Theory &
Practice
from Leiden University (MOOC), Netherlands. His interest and expertise span Security/Safety/ICT/Cultural
Awareness Training, Threat/Travel Advisory, Risk Assessments & mitigation, Security
survey/mapping, Loss/Fraud Prevention, Due Diligence and Investigations, Executive/Asset Protection, Business
Continuity & Emergency Planning, Background Screening/Vetting, Competitive Intelligence, Research and Open-Source
Intelligence (OSINT) Information Retrieval, Countering Violent Extremism
Advocacy and Public Speaking, amongst others. Don has featured on
conferences/seminars as a Guest Speaker and he is routinely consulted by
foreign, local, print/electronic organizations for his expert opinion on issues
impinging national, personal security and geopolitics. His passion, knack for
writing has seen his articles published on major Nigerian newspapers such The
Guardian, The Nation, NewsWatch, Tell Magazine and various reputable local and
foreign social media/online platforms. Don’s loves humanity; disappointed with
the rampaging insecurity, terrorism and insurgency in Nigeria, he took it upon
himself to champion an Advocacy Cause against vestiges of insecurity under the aegis
of ‘’Nigerians Unite Against Insecurity and Terrorism’’ and ‘’Say
No To Terrorism and Insurgency’’.
No comments:
Post a Comment