Cyber crime is on the rise. How can you keep your money safe? James Lyne, global head of security research at the security firm Sophos, explains how to protect yourself and your money against the malicious codes that hackers create every day. Discover:
- Why individual investors are targeted more often than banks and large companies
- The most common tactics that cyber criminals use
- What could happen if a scammer steals your email login and password
What should you do at the end of the fiscal year?
There are a few financial steps you should take at the end of 2016. Doug Goldstein, CFP®, explains what tax-loss harvesting is and why it’s often done before the New Year. How should you get your financial plan ready for January? What specific items do you need to review?
Follow James Lyne on Twitter @jameslyne and watch his TED talk here.Read the Transcript
Interview With James Lyne
Douglas Goldstein, CFP®, interviews James Lyne, the head of global research at Sophos. He talks about cyber security at length, and gives us a sneak peak on his thoughts about Bitcoin.
Douglas Goldstein: I’m very excited to have on the show, James Lyne, who is the head of global research at Sophos. James, what is the damage that’s happening these days in terms of cyber security?
The Evolution of Cybercrime
James Lyne: Cybercrime has evolved astonishingly over the years. I’ve been watching malware, viruses, and cyber criminals evolve for the last 12 years. It’s amazing the new ways that these criminals find to make money from people. We now see just over 350,000 new pieces of malicious code every single day in Sophos lab.
A huge volume of malware is focused on stealing your credit card or bank account information. They are also increasingly going after new things like Bitcoins, those crypto-currencies that some people out there may be using. Essentially though, a huge volume of malicious code is designed to profit from us, the average user of the internet.
Douglas Goldstein: Are these codes being written by people or computers?
James Lyne: I remember 9/10 years ago sitting in the labs and we saw 4-5,000 pieces of malware a day. A lot of that was being clearly produced by hand, unique variations. Now, the cyber criminals have systems designed to generate malware and they build those systems to generate these new examples, and they are off generating at very high speed, pretty much like the movies Terminator and Skynet. We have our systems watching their systems reacting to them, and they have systems watching our systems. It’s all becoming a big war of online machines generating new malware and new defense mechanisms.
Douglas Goldstein: It’s getting scary. What are they trying to do? Obviously, a lot of times people make the joke and say, “Oh, I got an email from my Nigerian prince,” or “I won the South African lottery and I knew that one was spam and I didn’t click on it.” But what do people have to really watch out for?
James: There’s always someone clicking on that Nigerian prince’s email.
Douglas Goldstein: It is shocking actually. It’s true.
What Cyber Criminals Are Really Aiming For
James Lyne: There’s a wide array of motives here today. There are a lot of different hackers and cyber criminals on the scene. Some people are doing it for fun, while others are doing it for hacktivist purposes, or political or activism- related, maybe making a political point. But the lion’s share of all that malware out there is about fraud. It’s about making money from your data; your information. And that’s where we end up in one of the most dangerous assumptions of the everyday person. People say all the time, “Why would a cyber-criminal target me? I’m not that interesting. I don’t have millions and millions of euros or dollars or pounds or whatever. Why would they bother?” The truth is that cyber criminals, opportunistically, are very happy to target and make money out of everyone, and we’re all a target. It’s really about fraud.
Douglas Goldstein: So a person thinks, “Who am I? My bank account is pretty safe because the bank is safe and they use these encoded websites.” What should he be worrying about?
James Lyne: There have been a few incidents recently in particular in Asia, where cyber criminals have gone after banks directly. But the grand majority of the time, the cyber-security practices at these banks are extremely high and the cyber-criminals don’t go after the bank vault. They don’t go after breaking the powerful encryption that’s implemented when you access the site. They go after you, the individual and the user. It’s far easier to hack or infect 50,000 people’s computers than it is to actually go after the bank directly.
Most of the time, it’s a really simple set of tactics. It’s emailing people with a scam that gets them to click a link going to a webpage that contains nasty code. They take advantage of the fact that maybe your computer isn’t up-to-date. They run the latest software, and silently in the background they install malware that scrapes your personal information away or intercepts your credit card details. It’s called “phishing,” and it’s pretending to be a legitimate retailer and asking you to sign and provide information.
One of the most prolific and successful campaigns at the moment is the cyber criminals sending people invoices, or payment remittances, or tax refunds, saying, “Hey, you have to pay this payment or we’re going to take you to court. Here’s an invoice.” You open up the attached document and that’s what deploys this evil code that steals your money.
And last but not least, there’s still a wealth of phone call-related scams floating around as well, but infection via websites and phishing scams via email aren’t new. They are not clever, but they are the real techniques the cyber criminals use most of the time.
Douglas Goldstein: What can these hackers do with your name or your Social Security number? Why is that considered so valuable that we should protect it?
Why Should We Protect Our Information?
James Lyne: It’s an interesting mindset that we are developing at the moment because, many times, when we lose our credit card information, we believe that someone will cover that since it’s insured. Sometimes that is true. But we are moving to a place where negligence on your part and failing to do the basics may invalidate that insurance. For small businesses, a lot of that has already happened. There’s no guarantee you’ll get your money back. But there’s going to be a movement on that as well for consumers, so we should start to take more responsibility for it.
Cyber criminals use bank account information, Social Security numbers, and so on to fraudulently create accounts. They may be out to build enough of a profile to be able to open up a loan account with a financial institution. Any of that information is valuable to a cyber-criminal potentially for diverse forms of fraud. Cyber criminals will pay between 25 cents US dollar equivalent in Bitcoins- it’s crypto-currency- and $3 for your email username and password. Even if it’s a webmail account of Yahoo! or Gmail, they’ll pay for that because of how valuable you are in distributing their scams to your friends, family, and colleagues. Just that alone is worth coming after your computer.
Douglas Goldstein: What do these people look like? Are these people snarly little slugs who are sitting in holes, or are they college students?
Is There Any Way To Identify Cybercriminals?
James Lyne: There’s the wonderful stereotype that you ask people about hackers and it’s something you’ve seen in a movie. The hacker, whilst driving a sports car one-handed, uses some kind of phone to turn off an entire block of lights in a city. There’s also a stereotype of the hooded hacker sitting in his mom’s basement growing ever large and spotty. These two scenarios are largely overdramatized. The truth is we don’t know. We, once in a while, get to catch these cyber- criminals. The International Police forces and intelligence agencies are getting much better at tracking people down, but it’s still a tiny portion compared to the overall cyber-criminal community.
Most of them are anonymous; we don’t know where they are and we don’t get to meet them. The truth is that it could be very much my neighbor living a couple of metres away as it could a cyber-criminal sitting in Russia or China. I don’t think we can really make much of an assumption about their shape or size.
Over the past few years, their professionalism has increased on an unbelievable basis. They’re selling products and services to each other and have developed an illicit market. They also have underground forums that have better usability than many of the online retail stores legitimate consumers use. They’re very efficient and professional.
Douglas Goldstein: A lot of people think that Bitcoin is the future of currency and a great idea. You’re describing it as a system that’s only used on the black market for all sorts of evil purposes or hackers. Is Bitcoin a type of thing people should be owning now, or is that just a passing fad?
Is Bitcoin The Real Deal…Or Not?
James Lyne: I’m honestly divided on that topic. I had some great fun with Bitcoin and doing some investments with Bots when the exchanges were nice and volatile early on. I think there’s huge potential, as a technologist and a security professional, for crypto-based currencies and digital currency. It is a likely future trajectory of currency in general.
Cyber criminals have latched onto digital currencies as a mechanism for payment. They enjoy it for its liberal, unregulated set-up. If they can get standard users, through their various financial institutions, to buy these Bitcoins, it’s easy for them to wash that trail and get the money quickly. It is not so easy with traditional banks because of the checks and balances that take place to look for fraud. And it’s really not about Bitcoins per se. It’s just some of the things we like about it as a positive currency also happen to be beneficial to cyber criminals.
I think there’s a future in digital currencies and I’m a big proponent of them. However, we can’t deny that we’ve got some kinks and challenges to work out here.
Douglas Goldstein: This is something that I’m a little weary about as I tend to be a more conservative investor. Tell us how people can learn more about what you’re doing, other than watching your TED talks. How can they follow you?
James Lyne: They can look me up on Twitter, as well as check out a couple of TED talks. Please share them with your friends and family and others to raise awareness of the security topic.
I’ve talked about how professional and efficient cyber criminals are. However, a lot of the time these attacks don’t work because of super clever, unblockable, uber viruses. They work because people make basic information security mistakes. In the Sophos website, we have the top 10 simple tips, all of which are pretty easy to implement. Everyone listening can make life a lot harder for attackers. I also believe that things like internet and online banking can be a great deal safer than traditional equivalents like the telephone. People should apply the practices; don’t be too scared, but have a healthy fear.
Douglas Goldstein: James Lyne, thanks so much for taking the time.
James Lyne: Pleasure. Thank you.