The excitement around non-fungible tokens (NFTs), rich digital experiences and internet connected devices, highlights the craftmanship of digital professionals. This streak of creativity, however, extends to cyber-criminals who are developing highly imaginative, sophisticated and cutting-edge approaches to crimes that are difficult to identify and detect. The period of digital acceleration we’re experiencing and the ‘internet of things’ are fueling opportunities for thieves and require businesses to think ahead about how they can better themselves and their customers.
About the author: Jamie Bartlett is an award-winning author and broadcaster. He is the author of The Dark Net and The People Vs Tech. His current project is the hit BBC podcast series, The Missing Cryptoqueen, which investigates the multi-billion dollar crypto Ponzi scam, OneCoin.
The creativity of criminals
Browsing through Spotify a couple of years ago, you might have come across either ‘Music from the Heart’ or ‘Soulful Music’. Both were highly popular playlists although the music was dreadful: Soulful Music contained 467 hastily arranged songs, nearly all under a minute long and composed by artists no-one had ever heard of. But someone was listening. An ingenious gang had created these playlists, used machines to generate each song (so they owned the copyright), and then set up thousands of premium accounts to listen away on a randomised repeat loop, always skipping to the next song after 30 seconds, at which point the $0.004 royalty payment kicked in. For months thousands of fake accounts listened to fake songs on fake playlists. The only thing that was real was the almost $1 million they made off with.[i]
It's hard not to feel a little admiration for the audacity, ingenuity and business acumen of the fraudsters behind this ruse. They might be immoral but most cyber-criminals, whether it’s the cliché kid-in-a-hoodie or a well-paid foreign government agent, are just as smart, creative, and motivated as you are. And they don’t have to worry about ‘GDPR’ either.
There are examples of creative and opportunistic cybercrime everywhere. Who first figured out how to make cryptocurrencies work for e-commerce? Dark net drug dealers. And no sooner had Covid-19 arrived scammers were posing as NHS Test and Trace staff trying to obtain personal details, selling fake vaccine passports, and firing out emails offering fraudulent Covid-19 support packages. Although they are often technically skilled, their real talent is playing to human foibles, especially laziness and greed. The biggest crypto-scam ever – a Ponzi-Pyramid scheme called OneCoin – fleeced almost one million people out of at least €4 billion, mostly by playing on people’s fear of missing out on ‘the next bitcoin’.
That cybercriminals will remain talented and opportunistic is a given. Which is worrying because two important trends will make their craft even easier – and we need to respond.
The internet of everything
The first is that everything is turning into a computer, because everything is getting chipped and connected. The fridge of tomorrow might look like a fridge, but it will in reality be a computer with a fridge application. The same is true of a growing number of our everyday devices: the smart TV, car, office desk, coffee machine, clothes. Soon, writes cyber security specialist Bruce Schneier, “saying ‘I’m going on the internet’ will make as much sense as plugging in a toaster and saying ‘I’m going on the power grid’.” This means computer security will be everything security. Hackers are already ahead of the curve: in 2018 a casino in the US was hacked via its internet-connected fish-tank thermometer. Cars have been hacked through the DVD player, navigation system, and even the computers embedded in the tyres.[ii]
The second is that computers will keep getting faster and smarter. No-one knows if ‘Moore’s Law’ (the number of transistors that fit on a micro-chip doubles every 2 years) will continue unabated, but either way computers will get better at spotting trends, discerning patterns and predicting human behaviour. Again, cybercriminals have been quick to spot the opportunity. In one recent case hackers created 250 bank accounts and then used machine learning AI to launder money around the accounts with machine-generated labels like ‘buying a car’ or ‘present to my dad’.[iii] It’s even plausible that within a decade or so, machines will be better at hacking systems than even the very best human. [iv]
Fully automated crime
You don’t need a PhD in software engineering to work out what will happen. Crime will become more automated, which is no different from many other industries. And the more connected we become, the more vulnerable we will be.
Here’s a scenario that many businesses might face before too long. The phishing email will carry on flooding customer inboxes, but they will be far more personalised. An AI powered malware will scan the net for all publicly available information about a company’s staff to build profiles: main contacts, calendar, social posts, friendship groups, personality type. If Julie always goes to the same restaurant on Thursday, our AI malware would send her an email on Wednesday evening asking her to ‘click here’ and confirm the booking. It could accurately mimic the style and tone of the manager too, perhaps throwing in a few little details about her last visit. The AI might even phone her up, using the latest voice imitation software.[v] And every employee would get their own, highly personalised machine-generated trap, all with the click of a single button.
Is that so hard to believe? Is it no stranger than someone telling you twenty years ago that one day criminals would hack into company servers via fish-tanks. Anyway, specific examples matter less than how these broad dynamics – more connectivity, smarter machines plus ingenious hackers – will transform cyber-security. But it’s not a counsel of despair. There’s plenty we can do.
Staying ahead in the cyber arms race
First, the old adage will still stand: the human is usually the weak link. Getting the basics right (not using the same passwords or clicking on dodgy links, all the things you’ve heard a thousand times before) will still help.
But in a world of perfect machine fakery, the challenge will be knowing you are speaking to who you think you are. Some mild paranoia will be essential, and should even be encouraged by the bosses: someone claiming to be a senior member of the exec is calling you late Friday afternoon to process an unusual invoice? Check it in person. Your bank emailing you asking you to ‘click here’ to verify some details? Go to their website and phone them directly.
Second, the risk profile might change. As cybercrime becomes more automated, attacks will be less targeting a company and more targeting a weakness. Machines will scan ports, software types, internet enabled devices, dark net forums for corporate email accounts – any points of entry that can then be automatically exploited. Smaller businesses sometimes imagine they fly under the criminal radar, but automated systems don’t work that way. In one recent test, researchers put a fake finance firm online and waited. Within 2 hours it was found by an automated hacking bot. Fifteen seconds later it had found and exploited all weaknesses, scanned the network, stole and shared user names and passwords and created new user accounts for its creators to use.[vi] This is especially relevant now, as many previously offline businesses have been forced online during COVID-19, and others have implemented working from home, with all its accompanying security problems.
Finally, be prepared. Even when you do everything right, you might still get hacked. As more horror stories come to light – which they will – most people will understand that it’s impossible to stop everything. But they won’t accept a company failing to take the issue seriously. Consumers will increasingly expect convenient and seamless digital products and services, but also for companies to have (and show they have) strong measures to spot and stop fraud, accurate ways to check people are who they claim, to use consumer data responsibly, and to have good back-up solutions too. Without that, when the inevitable happens customers will blame you rather than the criminals behind it. In a world where user data is more important than ever, that’s the last place you want to be.
[ii] Bruce Schneier, Click Here to Kill Everyone, p1
[iv] Bruce Schneier, Click Here to Kill Everyone, p85