Web and mobile fraud
Peeling the Onion
Why Retail Data is “Fullz Gold” to Hackers
The onion is a global staple. Everyone uses them. Part of the allium family of plants, it is probably the most versatile of vegetables capable of being finely chopped for salads, omelettes, and to add flavour to stews, bolognese, and just about any other savoury dish on the planet. It also has many layers and a darker side in that chopping it incorrectly can reduce a chef to tears—literally—because it contains a chemical that irritates the eyes’ lachrymal glands causing them to stream, almost uncontrollably.
The Internet is probably the most versatile invention of the twentieth century and still continues to innovate and enlighten our thinking fifteen years into the twenty-first century. And it too has a dark side called The Onion Router (TOR), which also has many layers and is the gateway to the Dark Web, the encrypted space occupied by those who prefer their web browsing to go undetected. Its many tiers also have the ability to reduce its recipients to uncontrollable tears.
Invented by the US Office of Naval Intelligence for military-grade Internet searches, the browser is what cyber expert Paul C. Dwyer would refer to as a “boomerang technology”—something almost thrown away but with the ability to bounce back and hit you on the back of the head when you least expect it.
This is because TOR has since become the weapon of choice for everyone from terrorists, child groomers, drug and people traffickers, murderers, rapists, and “anorexia apologists” encouraging vulnerable teenagers to “starve themselves beautiful” and as a sideline offering additional advice on how to commit suicide.
Fighting Fire with Fire
There are many experts in cyber-crime, but few have taken that expertise to the next level and created a network of 3,000 international cyber warriors to wage a form of star wars in the Deep Web against the dark forces that are not only attacking business IT infrastructures, but also undermining the very fabric of society.
“It takes a network to defeat a network.” So goes the mantra of Dwyer who is no stereotypical “geeky” introvert. Indeed, at six feet four with the build of a rugby prop and a luxurious red beard, he is not so much a cyber expert as a “cy-bear” force of nature.
The rapid-fire Dubliner who shoots from the lip is the face behind the International Cyber Threat Task Force (ICTTF) and Cyber Risk International based in Ireland and the UK who evangelises about the risks to business, not just in terms of their easily breached cyber security systems, but also their brand reputations once they are fatally compromised.
Self-taught, Dwyer worked in a pre-Internet world of computer hardware and software and honed his skill for hacking around the world, from Russia to the US, gaining the attention and the trust of some of the biggest intelligence organisations on the planet.
“I realised that I needed to be the smartest man in the room, so I went and got an alphabet of letters after my name and started to build a reputation,” said Dwyer.
He is now an internationally recognised information security expert who has more than two decades of experience and has worked with the US Secret Service, Scotland Yard, the FBI, the National Counter Terrorism Security Office (MI5), and the UK’s National Crime Agency. He has also worked as an advisor to Fortune 500 companies, law enforcement agencies, and NATO.
Such is the potency of the network that Dwyer has established that with “scraping” or “harvesting” can inform member organisations they are under attack before they realise it themselves.
“It is about real-life events. If people have an issue such as a hacker operating in Latvia, the network can act to stop it. This is the immediacy of the cyber world where the rules are very different to those in the real world.”
The 3,000-strong network shares intelligence with one another on a global basis. The types of intelligence they share can vary and can including training each other on how to detect and defend against cyber threats. So one bank may be in a different country but could help a bank on the other side of the world by sharing the modus operandi (MO). This information is often referred to as IOCs (indicators of compromise) or TTP tools (tactics, techniques, and procedures) of the “bad guys.”
Sharing this is very important and can help disrupt criminal network effectiveness very quickly. An example would be when the Bank of Muscat was hit for $45 million in 2013. It became obvious that RAKBANK in the United Arab Emirates had provided the test run for the criminal group. In that real-life scenario, if RAKBANK had effectively shared the intelligence, the Bank of Muscat would not have lost the money nor had its integrity compromised.
Dwyer has brought international businesses together with his firebrand approach to fighting cyber-crime and it is obviously working as those he and his network have challenged have come after him.
“I have had organised attacks against me when they launched an online army of memes. It is like rabble rousing, getting into all of my computers to try and get me through ‘doxing.’”
Memes are ideas that are literally transmitted by computers usually by video or humourous text, but in this case the objective was far from funny. Doxing is the the process of obtaining or deducing information about a person or, in layman’s terms, the act of searching around on the Internet for someone’s personal details.
Although calling a truce on this occasion, Dwyer is not someone who will be easily intimidated.
Cyber Task Force
So why does he do it? According to the literature surrounding the Cyber Task Force, businesses are under attack, and these raids not only impact financially, but also reputationally. These businesses have previously been forced to look at solutions alone, but the task force is a means of collective response.
Basically, the task force works rather like a neighbourhood watch or early warning scheme that includes the sharing of the modus operandi (MO). If your house is broken into, you go to your neighbour and tell them that they got in through the kitchen window at 4 a.m. so that they are forewarned and can prepare or prevent this from happening to them.
Likewise, if bank or retailer A gets hacked a particular way, the collaborative approach means that it sends out alerts to bank or retailer B, C, and D. Doing this results in safety guards instantaneously going up across the industry.
What traditionally happens is that bank or retailer A is hacked, keeps quiet, and in four weeks bank or retailer B is hacked the same way. And again four weeks later, bank or retailer C is hacked the same way. The only winners from this silence are the divide-and-conquer hackers.
“Whereas if this intelligence was shared across the sector, it would prevent this domino affect from happening,” said Dwyer.
Keeping silent may soon not be an option because of the impending EU directive on network information security, which will bring obligations upon businesses including mandatory breach notification, which means that companies will no longer be able to “hide a hack” for fear of brand reputation.
Robert Madelin, formerly the EU Commission’s director general overseeing digital matters, warned against “a clear and present danger” of cyber attacks in Europe, and there are hundreds of breaches a day already happening.
Indeed, the World Economic Forum recently reported that interdependence in the supply chain, lack of executive leadership, and the failure to integrate cyber into risk management had contributed to their overall risk.
In a recent seminar at Dublin’s Mansion House, Madelin told a gathered audience of business leaders in his own evocative style that they were all “one click away from evil.” In his presentation entitled “Sympathy for the Devil,” he said that cyber-crime had become attractive, hence the title of his presentation.
“It is seen as sexy as it’s a strike for the little guy fighting the system, the hactivists revealing stuff that Governments don’t want us to see. But the reality is different. Cyber criminals want to disrupt you. They adopt a parasitic role and continue to take things from you. Like the situation in Ukraine, they want to occupy you.”
Indeed, it is not necessarily the lone wolf hackers or the organised groups that are of concern. In the hidden world of the Dark Web invented by Government agencies, there is evidence of “conscious collusion” between nation states and organised cyber criminals, which goes to the very core of the Edward Snowden revelations and why his actions caused such controversy and criticism from Governments around the world.
Dwyer argues, “Today cyber security is as much about the functions of risk management, governance, legal, and compliance as it is to do with technical security operations.
“This is simply not a fair fight for private enterprise to have to defend itself against the efforts of a nation state. At ICTTF, we believe businesses should appoint a suitable senior person to join our cyber threat task force. This network can collaborate and work together to deal with cyber threats thus protecting Irish businesses and the economy.”
Those business-orientated members, including legal, regulatory, and technical experts, can help in the fight against the hackers and collectively manage the risk, as well as expand their own vision and network of ideas.
Our problem, he said, was that, unlike the cyber criminals, we occupy too many cyber silos. We simply do not share information in the same way that cyber criminals do.
“If you go on the drug buying site Silk Road, the customer service is absolutely fantastic. They cannot do enough for you, but it is a way of luring you in. We are into the territory of normalising crime. You are not up against someone who is operating from his bedroom with a piece of malware to buy iPads while eating pizza. Cyber-crime is military grade and organised.
“Controversially, cyber-crime has made the world a safer place—armed robbery is a dying trade. Violence used to be your entry point, but your entry point is now the ability to hack.”
Membership in Dwyer’s leader and warrior groups—those techies on the front line of cyber trench warfare—includes 24/7 access to the specific cyber portals, monthly virtual online briefings, and targeted newsletters and quarterly scheduled peer events. Membership has to be approved and subject to terms of reference.
In his presentation he cited the case of a group of organised hackers who on Tuesday, 19 February 2004 stole $45 million. This was no armed heist, but a silent, almost undetected raid that began at 04:31 with one security breach on an ATM in New York in which the hacker was able to override the usual withdrawal cash limits and quietly walk away with $300,000. This had been organised to such an extent that it was then replicated in twenty-four different countries over a period of ten hours before the authorities had worked out that there had been a breach.
How did this happen? It had all been coordinated through the Deep Web where they could not be tracked.
“This is the place where entrepreneurial criminals look for business opportunities to buy counterfeit money, but it is also the place where you can pay for someone to be murdered or raped,” said Dwyer.
Perfect Storm
Our love of social media and divulging more and more information about ourselves online makes for a perfect storm for cyber criminals who can access our lives with ease and impunity. They can buy our credit card CVV numbers and passports and, with the growth of social media, can now freely play with and manipulate people’s lives through the click of a mouse.
“This is Dark Web grooming, which is used to great effect by the likes of Islamic State as Jihadists use it for propaganda and recruitment. It used to be that we were three clicks away from evil, now it’s only one,” said Dwyer.
Retail
Retail is one such confluence of this brewing storm. Stores hold intelligent data that informs managers as to customer likes and dislikes with the recent example of Target in the US, which caused outrage when it sent a teenager coupons for her expected motherhood before she or her family knew she was pregnant. This had been calculated by the young woman’s previous spending habits at the store, and her irate father actually later apologised to the store after confronting them over the vouchers. This level of personal data is gold ready to be mined by retailers and hackers alike.
“Retailers with their voucher schemes and loyalty programmes hold vast amounts of data not only about our financial and personal details, but also our purchasing habits,” said Dwyer. “Also in retail there are so many points of entry for the hacker through the points of sale or the supply chain, for example. Compare this to the fact that retailers have under-invested in cyber security over many years, and this makes them an obvious target for data breaches from hackers looking for fullz information.”
“Fullz” is a slang term used by credit card hackers and data resellers meaning full packages of individuals’ identifying information. Fullz usually contain an individual’s name, social security or national insurance number, date of birth, account numbers, and other data. This is the ultimate goal for the hacker who can buy and sell individual fullz packages for around $70, details of which are all available on the Dark Web.
When those details are accessed, retailers may not even know other than their computers may appear to be working a little slower than usual.
Even loss prevention departments who collate information about suspect postcodes may be missing the point as this information can also be manipulated by the hackers, and they achieve this through device collusion techniques.
Device Reputation
Dwyer argues that retailers can no longer afford to ignore the vulnerabilities, especially in an arena where they are moving into more mobile shopping and sophisticated payment methods. It is not so much about the lost profits, but more a brand integrity impact issue as a result of a major breach.
He argues that we are moving beyond IP address and into the unchartered territory of device reputation. It is no longer enough simply to be able to identify where a transaction is coming from, but to drill down into its integrity and its past lives. And he wants this information shared so that fraudsters entering a store or pretending to be someone else online can be physically detained or virtually ejected because their device will reveal its past misdemeanors.
In other words retailers can set their fraud perimeters based not on where someone lives, but by information such as what their device has been up to.
“Every device will have a reputation, and you will know if it has done something bad,” said Dwyer. “On the rugby field, the only person you should be worried about is the one who can take you out. In the case of retail, this is the hacker who is not taking things off your shelves, but has the ability to destroy your brand.”
We are part of a world that cares to share, but the question is should we dare to? The toothpaste is already out of the tube, so it is a matter of getting better at protecting ourselves. In Dwyer’s world you no longer need to do it alone, and collaboration and networking good guys can be just as effective as the bad guys. Collectively they can shine light into the Dark Web and can peel the multi-tiered and “teared” onion of TOR.
For further information, visit CyberRiskInternational.com or icttf.org.
