Predictions 2018: Human Manipulation Standardization and Obsessing Over End User Authentication
Written by Maria Lobato on November 27, 2017
Not ones to be left out, we’ve compiled our own list of what we can expect to see on the cyber threat landscape in 2018.
From Target, to Equifax, to OPM, the common denominator has always been an email, a link, or a file attachment. Phishing attacks focus on human weakness, and are inherently simple, yet incredibly powerful – and criminals know it. Time and again, fraudsters’ efforts pay off, leaving them with no reason to stop employing phishing attacks. What’s more, no industry, from banks, government, and the private sector as a whole is immune to the manipulation of human behavior (often called “social engineering” in the fraud security industry), meaning that cybercriminals have almost unlimited targets at their disposal.
The ultimate goal of most attacks is account takeover (ATO), which already results in at least $6.5 billion to $7 billion USD in annual losses across multiple verticals. “By the end of 2020, organizations that cannot leverage machine learning and advanced multi-factor authentication techniques will be unable to keep up with the demands of the digital-driven end user,” says Ricardo Villadiego, CEO of Easy Solutions.
As machine learning and AI technologies are providing great advantages and benefits for organizations and individuals, criminals are also taking advantage of similar technologies. As Villadiego puts it: “The problem is that the same techniques that create incredible conveniences for end users are also being used to create chaos and to harm users and businesses.”
Easy Solutions’ Chief Data Scientist, Dr. Alejandro Correa, agrees. According to Correa, one of the biggest threats that lays ahead is when cybercriminals start using AI generated phishing sites and malware that are designed to avoid detection. Further, as criminals gain a better understanding of how machine learning works, they will start to modify their attack techniques and malicious software to outperform the capabilities of some algorithms. This is especially worrisome for players that are not using or do not have access to large datasets to train their AI algorithms on, as it is easier for criminals to inject an anomaly and damage the training procedure of a machine learning algorithm when only a shallow data set is being used.
Unless you’re just coming back from a remote island cut off from the outside world, you will have heard about the Equifax data breach that occurred earlier this year. “The Equifax data breach is not like other data breaches. A different kind of data was stolen – data that very few organizations have and that can be used to cause a lot more damage,” said Silvia Lopez, Chief Marketing Officer at Easy Solutions.
While the news surrounding the breach may have died down, don’t expect cybercriminal activity to quiet down as well. Rather, we can expect to see more fraud attacks as a direct result of this breach, predicts Damien Hugoo, Director of Product Marketing for Easy Solutions.
“Criminals are leveraging this ill-gotten data on the black market, accessing existing online accounts, and opening new ones with the purpose of committing fraud. There’s an even greater need now to be able to detect stolen identities during account opening, loan origination, and credit card openings due to the increased number of stolen identities available on black the market,” he says.
We will also see more instances where the principal email account is at the core of an attack, i.e., a hacked Gmail account is used to open other services and perpetrate fraud, says David Castañeda, Easy Solutions’ Vice President of Development. “This will continue to highlight our dependence on an unsecure (by design) service to secure everything.”
Thanks to past breaches a lot of stolen personal information is floating around on the black market. It’s no surprise, then, that enterprising cybercriminals will take this data and translate it into account takeover attacks, in which fraudsters gain access to an account and then change a person’s security and contact info, giving them free range to syphon off funds and charge up a storm, explains Dee Millard, Easy Solutions’ Anti-Fraud Consultant.
Today’s cyber-fraudster has devised sophisticated means of gaining access to sensitive information, to the point that even those on the lookout may have a hard time distinguishing fraudulent sites from their legitimate counterparts. These fraudsters may employ both legitimate URLs and digital certificates on malicious pages, Millard notes, and use two or more branded channels, such as fake mobile apps, brand and social media impersonation, to access personal information and then take over one or multiple accounts.
These and many other political cyberattacks were in the news in 2017. We don’t expect to see that changing anytime soon, especially with increased security risks to critical infrastructure, such as power grids, water systems, and communications, says Castañeda. With the majority of businesses, transactions, and government activities being carried out digitally, there is more than just a need for governments to ensure a safer internet: it is their responsibility.
Apple and Google continue to increase the security of their devices to protect their users from generic attacks, such as information theft from utility apps. However, users are still fully enabled to use mobile phones in a manner that can compromise their usernames, passwords, and other confidential data. Man-in-the-Middle attacks, Rogue Access Points (often from open WIFI networks), and malware on jail-broken devices provide the ideal conditions for cybercriminals to target a phone’s weakest security points.
According to Ian Breeze, Product Owner for Easy Solutions Mobile, such attack strategies will become increasingly common over the next year. As most organizations are not monitoring for these types of threats, and respond to them only after they have been carried out, criminals will take advantage of the relatively unprotected weaknesses in mobile security.
Christmas 2017 promises to deliver a lot of Amazon Echoes, Google Homes, and Nests under the tree. “With every AI assistant comes the promise that somewhere, a hacker is looking to gain access to an uncontrolled device,” says Fernando Cuervo, SOC Manager – Latam at Easy Solutions.
And why not? Chances are that they will be successful. “The average user is aware of the possibility of data theft, but unfortunately lacks the skills to mitigate such an attack. Couple this with the fact that most users have fairly lax security practices, and it’s no wonder that home assistants and IoT (Internet of Things) devices will be popular targets in the coming year,” he added.
“WannaCry isn’t going anywhere any time soon. Rather, TrickBot, the rising star of banking Trojans (a dubious distinction to be sure), Locky, and others are building on its success,” says Felipe Duarte, Malware Researcher.
Historically, the hardest part of a financial attack has been cashing out because of the risk of exposure.
Given the increase in channels available to convert traditional money to and from digital currencies (e.g., from a Citibank savings account to a 3rd-party service), attackers will focus on strategies where they can cash out to Bitcoins, Castañeda predicts. This, he says, will continue until financial and security industries identify effective countermeasures.
In 2016, hackers figured out how to create virtual skimmers – malware that’s installed remotely – which allowed to them steal card information without even touching the ATM, fuel pump, or other ATM-related device. Further, the prevalence of skimming has not abated in the face of EMV technology, which has become more widespread in the United States since 2015.
Hugoo expects that as long as many ATMs continue to support cards with a magnetic strip, we can expect to see further “investment” into virtual skimmers and, at the very least, an increase in the sophistication of skimming.
What would an end-of-year list be without resolutions for the coming one? Here are our recommendations for organizations looking to create or improve their digital security in 2018:
Organizations that don’t implement the latest fraud protection strategies will likely find that, in 2018 and beyond, they will struggle to maintain their market share and remain relevant in their industry.
Find out more about Easy Solutions.