Hackers selling stolen personal details for less than Dh200

Companies can spend a fortune on sophisticated cyber security but they will still be vulnerable if employees use weak passwords

DUBAI , UNITED ARAB EMIRATES , SEP 20  ��� 2017 : - Guests watching the video presentation during the press conference of Kaspersky Lab regarding Cyber crime held at the Media One hotel in Dubai Media City in Dubai. ( Pawan Singh / The National ) Story by Nawal
Powered by automated translation

Hackers are stealing the confidential details of consumers and unprotected businesses and selling them to other cyber criminals for less than Dh200, according to a report by security company Kaspersky Lab.

The stolen information can include data from compromised email accounts, social media profiles, transaction details and bank inventories. These are taken through remote access to servers and from popular consumer services like Careem and Netflix.

The data can be used by criminals to empty users' bank accounts and gain access to their cards, a crime that UAE customers have fallen victim to.

One of the common links among all these breaches is weak passwords, industry experts said.

"There is a pervasive issue of weak password re-use, leading to frequent stealing of data," John Shier, senior adviser at Sophos, a British security company, told The National.

"A simple breach of a social media account can lead to the compromise of a webmail account... once in your webmail account, an attacker can reset other passwords – including banking details," he said.

This also gives criminals the ability to impersonate the victim to the point where they may be able to use the stolen identity to gain access to confidential resources at the victim’s workplace, Mr Shier said.

At a time when security professionals are recommending next-generation identity-management techniques such as facial recognition and biometric identification, just over 80 per cent of large Gulf enterprises still use usernames and passwords as the exclusive means of log-in, according to Microsoft's 2018 Digital Transformation survey.

“One small misconfiguration, as we saw in the Capital One breach, can get you into trouble. This, coupled with the fact that some companies collect too much data to begin with, is compounding the problem,” Mr Shier said.

The average cost of data breaches in the Arabian Gulf region’s two biggest economies – the UAE and Saudi Arabia – was $5.9 million (Dh21.6m) in 2019, a 12.4 per cent year-on-year increase, according to a study conducted by tech giant IBM Security and Michigan-based Ponemon Institute. This amount was second only to the US, which experienced the highest total average cost of data breach, at $8.19m.

IBM and Ponemon interviewed IT, data protection and compliance professionals from 500 global companies that have experienced a data breach between July 2018 and April 2019.

"Bad actors no longer hack into corporate networks, they simply log in using weak, default or stolen credentials. Then they settle in and wait for the right time to secure access to critical systems and sensitive data," Kamel Heus, regional director at software protection company Centrify told The National.

A simple breach of a social media account can lead to the compromise of a webmail account… once in your webmail account, an attacker can reset other passwords – including banking details

Hackers are always going to look for the easiest way, Mr Heus said, adding that cyber criminals do not have go up against sophisticated technology when employees continue to use weak passwords or divulge their credentials.

Organisations in the Middle East reported the highest average number of breached records in 2019 – 38,800 records per incident, compared to the global average of around 25,500, IBM said.

According to US researcher Gartner, the average cost globally of identifying and stopping a data breach is $2.1m, compared to $3.5m in the Arabian Gulf region.

“Year after year, our analysis shows that more than 90 per cent of data breaches are preventable – in 2018 it was 95 per cent,” said Salam Yamout, the Internet Society’s Middle East regional director.

"The Capital One incident is a grave reminder that companies holding personal and sensitive data need to be extra vigilant," Ms Yamout said, adding that the responsibility for good data security lies with everyone in an organisation, not just management or the IT team.

One of the world's biggest data breaches was reported last month when a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications.

Paige Thompson is accused of breaking into a Capital One server and gaining access to 1.14 million social insurance numbers in the US and Canada as well as 80,000 bank account numbers. The suspect also had people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.

David Weston, creator of Microsoft’s Windows Red Team anti-hacking unit said that moving data to the cloud could avoid data breach attacks.

Former Amazon employee Paige Thompson was arrested and charged by the FBI over the Capital One hack

"Cloud uses advanced analytics to detect any data breach attempt at an initial stage. Besides, everything is backed up in cloud… so the chances of retrieving stolen data are always higher," said Mr Weston.

Users can safeguard their data by using strong passwords, multi-factor authentication, keeping software updated and always being careful with email.

"Security and privacy are not absolutes and must evolve. Organisations need to regularly review their procedures for collection, storage, use, management and security of all data," Ms Yamout said.

Mandatory Credit: Photo by JUSTIN LANE/EPA-EFE/Shutterstock (10350637a)
People walk past a Capital One Bank branch a day after the company confirmed that a data breach exposed information on more than 100 million credit card applicants in the US, as well as six million in Canada, in New York, New York, USA, 30 July 2019. According to law enforcement, Paige A. Thompson was arrested in Seattle for stealing the information and then sharing it online. Capital One has reported that no credit card numbers or login information was obtained, but 140,000 social security numbers were compromised.
Capital One confirms over 100 million exposed in data breach, New York, USA - 30 Jul 2019

Lessons learnt from the Capital One breach

One of the world's biggest data breaches was reported last month when a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications.

Paige Thompson, a former employee of Amazon Web Services, is accused of breaking into a Capital One server and gaining access to millions of social security numbers, account details and personal records.

Here are some of the lessons learnt from Capital One breach:

Confidential data was not encrypted

Investigators said the hacker obtained access to the confidential data – which was not encrypted (another big blunder) – through a wrongly configured firewall, a security system that controls incoming and outgoing network traffic.

"The burden of securing networks involves not just patching systems to ensure they don't have any unwanted holes but also testing your controls and firewalls to make sure they are operating as intended," said John Shier, senior adviser at British security firm Sophos.

Do insiders pose a security risk?

Although it is not clear whether the Capital One breach is the result of insider access or privileged information abuse, it has brought this issue into the open. The alleged perpetrator, who has been indicted by the US authorities, was once employed at Amazon Web Services, which hosted Capital One data.

"This meant that they [the perpetrator] would have had inside knowledge and privileged access to the system’s environment. The alleged attacker may or may not have used their inside knowledge to pull off the crime, but it does remind us that privileged insiders pose a risk that is difficult to mitigate," Mr Shier said.

'Exhaustive' training of staff is a must

Misconfiguration of firewalls is the direct result of human error and complacency. There should be qualified cyber security personnel to manage the network and organisations need to ensure their security staff are familiar with the latest trends and product knowledge.

"Organisations must conduct exhaustive training, risk assessment, identify all their valuable data assets and figure out how much risk they are willing to take at any point of time," said Manikandan Thangaraj, vice president at ManageEngine, a Dubai IT management firm.

Are clouds still secure?

So far, developments in the Capital One case do not point to a weakness of the cloud infrastructure managed by Amazon web services. However, it was found that there was a glitch in the authentication process which is gone through before allowing anyone to access the network.

Ms Thompson used a web vulnerability known as Server-Side Request Forgery that enables a hacker to access restricted parts of a network by using fake credentials. This is just like an employee getting into a restricted area by forging the details of a legitimate access card.