Cyberfraud is maturing into a stable, highly profitable business, adopting modern management principles and investing heavily in innovation. It has already evolved into an impressive, sophisticated, well-managed, capitalistic environment, composed of bold hack-innovators, hack-services providers, hack analytics, hack market promoters, and some hacking line soldiers, who are the ones who get caught while the master planners stay tucked safely in the rear.
The key strategy now is stealth identity theft. In years past, a stolen identity was immediately exploited by trying to charge something expensive with it. The theft was readily exposed and neutralized. Today, stolen identities are kept secret. They are exploited as proxies from which to leapfrog to more serious fraud, or they are used to milk credit card accounts.
But mostly they are used as a means to establish bases for a secondary attack with little risk of exposure. Quite a few innocent people have been followed by law enforcement, believing them to be cybercriminals, while in fact a cybercriminal used their identity as a decoy.
One significant trend concerns Internet users’ many everyday accounts. These have been penetrated and are now co-owned by a hacker, without the rightful owner’s knowledge. The hackers often operate in parallel with the bona fide identity, posing a real security challenge. Using captured accounts, hackers operate with multiple identities, and oftentimes law enforcement is clueless about whether it faces one wily hacker operating from a few dozen accounts, or an army of fraudsters.
Hackers understood early on that the prime cyber?defense, the password, is highly vulnerable because users do not understand that passwords that are not fully randomized can be exposed. In fact, people fail to appreciate how far from random they are even if they try to pick a random password. And most people use some mnemonic, which is way off random.
The farther the password is from pure randomness, the faster it can be cracked. But the means proposed to enforce randomization have often been counterproductive. Many Web sites require long passwords that include a capital letter, a number, and a special symbol. Users have responded by relying on one such compliant password they use everywhere. So once hackers compromise the passwords used by some parochial game site with lax security, they have a good take on which password the same user is using with his bank account.
The modern hacking industry has developed a secondary industry—selling hacking tools to aspiring hackers. One hacker touted his offering as “Hacking for Dummies.”
In Hacking 2.0, the modern science of big data is big business. By analyzing reams of compromised data, important patterns are discovered. When a highly placed individual like John Podesta becomes a victim, then his exposed work space may be ill-leveraged, with disastrous consequences. Unfortunately, most secret accounts will allow you to restore your account access with a new password if you click back on the email of record. Cracking email passwords is a bonanza for the long-range hackers.
Bitcoin in particular, and the technology of digital money in general, have offered hackers the financial platform to operate underground with great impunity. They pay, they hire, they blackmail (ransomware), and share investments, all with no trace in the nominal financial system. “We are like a well-managed cancer,” one hacker told me. “As long as we don’t overdo it to the point where we kill the patient we live off, we can last forever—like taxes—as an acceptable burden on the nominal data industry.”
Bright as the future looks for hackers, some far-sighted practitioners are worried that their industry will become too greedy and prompt a serious national effort to develop a strategic vault based on solid security principles and robust cybertheory. Indeed, in the offing we see a new paradigm of cryptographic tools that offers a guaranteed measure of security. Public ID can be effectively protected through Cyber Passport and similar solutions.
Today, our identity may be abused, and we won’t even realize it for a long time. Our reputation, our money, our well-being are all in jeopardy. We need leaders with this battle cry: Don’t just limit, curtail, fence off, or “degrade” cybercriminals. Destroy them, take them out, finish them off. We live here, and we need to live in peace!
—Gideon Samid • Gideon@BitMint.com