A Privacy Warning for Smartphone Users
In today's high-tech age, your smartphone can be your concierge, navigator, websurfing device and of course a phone.
But with this "freedom" and "technological advances" your privacy could be in jeopardy. Sony's second cyber attack in a matter of weeks just shows that while we may be light years ahead in terms of convenience, the fabric making up the network that gives us this freedom is in need of repair.
So just how vulnerable are we? I asked Dave Jevans, founder and chairman of IronKey, which provides various cyber security services. He is also the chairman of the Anti-Phishing Working Group which tracks and quantifies phishing attacks and fake websites.
LL: What can you tell us in terms of the proliferation of phishing attacks and fake websites?
DJ: Every month there are about 50,000 new phishing attacks launched against Internet users worldwide. Each attack may involve millions of fake emails, and numerous fake websites. Fake websites might look convincingly like your bank, a big e-commerce merchant or even a government site like the IRS. These attacks are increasingly becoming targeted, meaning that you will only receive phishing emails that look like the actual bank that you use for your finances.
LL: How do these cyberattacks work?
DJ: Three to five years ago, cyber criminals would send out tens of millions of fake emails per day, trying to trick consumers into inputting their usernames and passwordsfor online banking and e-commerce into convincing fake websites. In the last few years the technical sophistication of these attackers has increased dramatically.
Now they are employing professional programmers to write malicious software, which we call "malware" or "crimeware." This software can evade even the best anti-virus and anti-malware protections and can get installed on your computer invisibly simply by opening an attachment in email or by visiting a website that an attacker might have compromised.
Once that crimeware is on your computer, it tracks which websites you go to, and sends your usernames and passwords to cyber criminals, who then might log into your account and transfer money or use your credit card for fraudulent transactions. Recently we have seen the fraudsters targeting corporate users of online banking systems. In those cases, companies may lose hundreds of thousands or even millions of dollars. IronKey Trusted Access for banking product isolates corporate banking users from these threats.
LL: The Sony attacks are just a slew of recent cybercriminal attacks on companies like Epsilon and RSA. What is making these attacks different than past attacks?
DJ: These attacks are illustrating the new technical sophistication of the cybercriminal underground, as well as showing us just how much effort and time is going into attacking companies. They utilize advanced technologies to find security vulnerabilities in even the most secure websites, and then break into a company in order to steal databases of consumer information including credit cards, names, addresses and email addresses.
In some cases, the criminals are spending months carefully finding out who works at a company, and then crafting "spear-phishing" emails to individual employees, often with malware attached to these emails.
Their goal is to infect the computer of an employee at a target company. The criminals will then connect to the infected computer that is inside a company, and use that as a launching pad to search through a company's network and find valuable databases of customer information, trade secrets and the like.
LL: How would you grade Sony's job in handling this situation?
DJ: Sony is in the unfortunate position of being the victim of one of the biggest data thefts ever. They did a good job in preventing further data losses by turning off their online gaming network for a week as they worked with the FBI and cyber security companies to track what was stolen, and to improve the security of their networks.
As far as customer communication goes, they are doing a reasonable job now in offering advice to consumers to review their credit card statements and to look out for fake emails. It appears that Sony does care a lot about their customers, but understandably this is a major security incident and must be treated with care. The investigation is ongoing, so it is understandable that Sony will not be disclosing all the details of the data breach.
LL: Do you think PlayStation will need to do more than just give "freebies" to show remorse and appreciation?
DJ: It is my understanding that the Sony PlayStation group has offered customers some levels of free service to make up for the time that their service was offline due to responding to the data breach. They are also offering credit monitoring services.
We shall see what kind of other compensation they might be discussing with consumers and the financial services community who might need to re-issue credit cards, if it is found that those credit card numbers were in fact stolen. We just don't know at this time.
LL: Videogames are becoming more and more a part of our online functionality. What does Sony need to do to protect their valuable customer data?
DJ: Sony is no different from any company conducting business on the Internet.
Companies need to employ a layered security model. This means that there is no "silver bullet" of security technology that can guarantee that systems cannot be compromised by cyber criminals. Firewalls and intrusion prevention systems should be used on corporate network gateways. Encryption should be used to protect customer data and other sensitive information when stored on a computer hard disk or removable flash drive.
Anti-virus and anti-malware protection should be installed on every computer, and must be updated daily. Email should be filtered for viruses, malware and phishing. Internal staff need to be aware that they might be targeted by cyber criminals, and should limit their use of social networking sites and auction sites from work computers which could become infected with malicious software. Finally, Sony and other companies should be deleting old customer data that is no longer required for day-to-day operation.
LL: Sony declined Monday to testify before the Energy and Commerce committee. Do you think Sony customers deserve to see the CEO go before Congress?
DJ: My personal opinion is that a congressional hearing might serve to educate other companies about the high level of information security risks that they face on a daily basis. However, I doubt that the CEO of Sony is best equipped with the knowledge of Internet security systems to provide such information.
LL: Recently the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) issued a joint alert saying $20 million had been stolen from small and medium sized business and sent to China. What can be done to stop this?
DJ: The theft of money from small and medium sized businesses through their online banking systems has become a major problem for banks in the U.S., Europe and Australia.
Criminals are using advanced crimeware software to infect the computers of finance professionals inside companies, and then using information stolen from their computers to log into online banking sites and transfer money outside of the USA. We have been under attack from criminals in Eastern Europe for some time, and now we are seeing evidence of attacks from Asian cyber criminals. There are several steps that can be taken to stop this.
1. Protect the banking customer. Securing the web browser of a customer doing online banking is crucial.
2. Detect the fraud. Banks need to add fraud detection systems to their payment systems, particularly for corporate payments. For example, if a company has never made any payments to a vendor outside of the U.S. and then suddenly one day makes a $100,000 payment to an unrecognized bank account in China or Russia, the bank should detect this and call the customer to confirm the transaction before approving it.
LL: Let's turn to the wireless carriers. Sen. Al Franken (D-Minn), Chairman of the new privacy and technology subcommittee of the Senate judiciary committee, will be holding a hearing on May 10 with testimony by Apple and Google , to get to the truth of how muchinformation has be collected. How much privacy does a mobile user truly have?
DJ: Mobile users of smartphones have far less privacy than might be imagined. Smart phones allow various parties to monitor not only web surfing, but also email, app usage and physical location. There are so many ways to track a user. The phone service provider knows exactly where you are, and which websites you are visiting.
The app vendors in many cases know all of your traffic, some of your passwords, and your location. There are advertising networks for mobile apps, just as there are for websites, that share information about you. In the future this will get even worse when smartphones become virtual credit cards.
LL: There are few restrictions on this and there is a "do not track" option on browsers but that's not a true given that the websites will honor that. Can this information be hacked and sold to advertisers or data brokers?
DJ: The information about which websites you visit is routinely sold to advertisers and data brokers. It is true that the Federal Trade Commission does audit some of the larger websites for compliance with their own privacy policies.
However, with millions of websites out there, and hundreds of thousands of apps, it is only a small percentage that are actually audited. By the way, have you actually read these policies?
LL: Apple admitted recently that it has been storing iPhone user records for at least a year. Would a cybercriminal want this type of information?
DJ: A cybercriminal will find a use for as much information as they can harvest about a potential victim.
For example, if they have access to your travel information, by way of your GPS history, they might know that you are out of the country, and thus less likely to check your bank balance.
That's a perfect time to initiate fraudulent funds transfers from your bank account. Or, they could use the information about which stores you frequent in your neighborhood to send you fake emails pretending to be a coupon from your local coffee shop. No doubt you would open that email attachment! Of course the criminal would infect the attachment with malware, and from there they could start getting into your online banking sites.
LL: AT&T and Verizon have told the Congressional Privacy Caucus that they have little control over the information collected by third-party applications on smartphones.
How cautious should a smartphone user be when downloading, accessing or using applications or services?
DJ: This is a fact. Network service providers are providing connectivity between your phone and the Internet. Rarely these days do network providers have any influence on apps or content for your phone. With the advent of smartphones like iPhone and Android, and app stores, the carriers have lost their control.
Apple does a good service by auditing the apps that appear on their app store. Google has been working with the user and security community for collaborative rankings of apps. However, no system is 100 percent secure.
Users should exercise care when downloading new apps, especially those that do not have a lot of user ratings. Users of jailbroken phones must be particularly cautious, as there are many malicious apps, trojans and viruses that could infect a jailbroken smartphone.
Questions? Comments? Email us atNetNet@cnbc.com
Follow on Twitter @ twitter.com/loriannlarocco
Follow NetNet on Twitter @ twitter.com/CNBCnetnet
Facebook us @ www.facebook.com/NetNetCNBC
A Senior Talent Producer at CNBC, and author of "Thriving in the New Economy:Lessons from Today's Top Business Minds."