The Internet of Things: a risk for the financial sector?
By Risk Performance and Technology group
Original, as it appears on Finance et Investissement – https://www.finance-investissement.com/
To meet the challenge of a clearly established trend and the growing need for mobility, the number of devices connected to the Internet is increasing and they cling to us like little helpers in our daily tasks.
These devices come in a variety or forms, such as smartphones that allow us to receive emails, manage our schedules, connect at any time with social networks, take photos and videos of our lives and share them in real time, chat online with our relatives, receive, read and sign electronic documents, organize or participate in videoconferences, and use global positioning to locate our parked cars, etc.
Our phone has literally become a virtual, mobile desk… if not a secretary! Some brands even suggest replacing the “ancient” desktop computer with the phone.*
Other connected devices, such as watches and smart glasses, transmit information from our phone and allow us to interact with others even more in real time. Our connected belts and bracelets inform us about our physical and bodily activities, track them and compare them in online reports.
Video surveillance using cameras connected to our home Wi-Fi network, or even connected thermostats, light bulbs and electrical outlets that are remotely adjustable using a simple mobile app, have also become tools that we use on a daily basis.
In our ongoing search for ways to save time and effort we consume technology to speed up or automate our tasks. The question is, aside from electricity, what are these technologies consuming? The answer is simple: They are consuming our information.
Over the last five years, these technologies have proved to be vulnerable,** and most of them have been the target of data attacks and theft, sometimes more than once.
We seem to think that this private data has no monetary value, but, in fact, once it is correlated, it can be very useful for committing targeted and effective cyberfraud.
Below are two examples based on actual cases that could happen to you or your clients. Thanks to a very targeted spear phishing attack, a cybercriminal was able to retrieve the identifiers of the personal email account of a staff member in the finance department of a mid-sized company (400–500 employees and approximately $120 million in annual earnings).
What is a spear phishing attack?
Imagine that you received the following email: “Hello, I’m Francine de Gaspésie, your cousin’s wife. Your cousin asked me to send you the link to access our online photo album with pictures from our vacation in Cancun.”
The data linked to your family and personal ecosystem are available on Facebook thanks to the many identifiers that identify you in the photos contained in barely protected accounts of family and friends (and yes, even if you don’t have an account, you are certainly identified on Facebook).
Therefore, you open the email and confidently click on the link because you can’t imagine that someone might know so much about your cousin and his wife, Francine, and their trip to Cancun.
You come to the page https://www.microsft-0nedrive.com/Francine/photos/Cancun2017. There’s a green padlock in the browser, therefore, the page appears to be secure and it looks deceptively like Microsoft’s authentication page. This is the point where you have to enter your Hotmail identifiers to access the directory with the shared photos. You enter the information and suddenly an error message tells you that the password is incorrect. You start again and come to the same page, which informs you that the shared directory has been deleted or is no longer available. You really need to talk to Francine about this. Her directory doesn’t work!
Then you realize that the page was a fake page, held by a cybercriminal who received your Hotmail account identifiers twice. They’re already connected and accessing your emails and services.
Thanks to a search filter preconfigured for Hotmail, they notice that you subscribe to Fitbit services to monitor your physical activities and that the iCloud account on your iPhone is configured with your Hotmail account. Therefore, they can access your iPhone agenda, your LinkedIn account and your fitness schedule.
Here’s another example. Recently, many people have been the victims of a different kind of fraud, but with similar results. You receive a message that didn’t come from your preferred antiviral software, but which states that your computer is seriously at risk. The message recommends that you call a particular number. The person at the other end answers in your language and pretends to represent Microsoft, then asks you to install software that allows them to take over your computer remotely to help you.
Do not trust them. Microsoft does not do this kind of thing. Be aware that the tool you will be asked to install will attempt to obtain your passwords for the Internet accounts saved in your browser and many other files. If this happens to you, shut down your computer and call a recognized specialist.
CEO fraud
What will the fraudster do with all this personal information?
The fraudster will use the time you go jogging (using your Fitbit) to send a message from your personal email account (by pretending to be you).
This email is addressed to the assistant of one of your high-wealth clients, referring to this person by their first name (information easily found on LinkedIn, in your emails or on the Internet). In this message you explain that your last invoice for fees has not been paid and you’ll be in meetings all day (information found in your shared iCloud agenda).
The tone of the email is urgent and insistent. An invoice, a signed transaction request or banking information is contained in an attachment. The anguish and stress caused by this email risk turning the attempt into a fraudulent transaction.
You think this can’t be real?
Coop Fédérée ($5.5M in 2014) and many other businesses have already been the victims of this type of fraud, with accumulated losses of more than $500 million per year.
Don’t be the next victim.
Don’t be the weak link because of your hyper-connected life.
*As soon as you arrive at the office, your phone connects directly to a computer screen, a keyboard and a mouse, and you use it like a conventional computer.
**A word of caution: I am not saying that the companies behind these technologies have bad intentions (but we only know or think we know the “big” players in the market).