Target Locked the Front Door but left the Windows Open
5 things that you can do today to help protect you and your company
Target was in the news again last week when it was announced that the way hackers exploited Target’s point of purchase software was through one of their vendors – Fazio’s Mechanical Service, a heating and cooling service provider from Sharpsburg, Pa. I have written several times about Supply Chain Risk and Fraud in the Supply Chain, but this instance of one of the largest data breaches in history is a great lesson to ALL of us how Cyber fraud and supply chain are intertwined.
CyberSource’s 2013 On Line Fraud Report (Online Payment Fraud Trends, Merchant Practices and Benchmarks) stated that in 2012 there was $3.5 billion in online fraud. So how does a company like Target with an extensive security budget get hacked by one of their vendors? Through the one ‘system’ that is hardest to control – our associates and suppliers.
Human behavior is in many respects predictable. It is this very predictability of behavior that a fraudster relies upon to gain access to an account. Fraudsters, confidence men like Madoff, and cyber crooks depend on the predictability of their marks to help them with their schemes.
Cyber fraudsters follow several steps. First, a malware coder is hired, many times by organized crime, to write a code to exploit a particular system and extract information from a targeted system through the use of a ‘Trojan Horse’. The term “Trojan Horse” comes from a Greek myth, in which the Greeks presented a giant wooden horse to the Trojans as a peace offering. However, a nasty surprise awaited the Trojans as Greek soldiers sprung out of the hollow horse and captured Troy. Similarly, a Trojan horse program presents itself as a useful program, while it actually causes havoc and damage to your computer.
Sometimes the victim is known beforehand, and the malware is written for a specific company. Other times, the malware is written for a specific software and the fraudsters go after companies who have that software. It could have been either of these scenarios – or a combination of both – that put Target in the cross-hairs of these fraudsters – the volume of transactions and the time of year targeted were not a coincidence.
Cyber fraud could happen to almost anyone. A CEO of a well-known company infected his own system when he opened an email on Facebook with a ‘picture’ that read “I can’t believe how young we were’ and the picture came from a name that resembled a classmate. This is the second step of cyber fraud; get the malware into the hands of an access point. The ‘picture’ contained a malware for capturing passwords and email. The CEO was targeted through a process called ‘spear phishing’- where a specific individual of a company is targeted for a specific reason. This malware would lead to the breach of his company’s treasury and banking software. (See related Firestorm Article: Show this Video to Your Students, Co-workers, Children – Everyone – The Social Media Experiment)
The fraudster had gone online, through the CEO’s own company web site and found a bio with the CEO’s college, Googled the school’s newspaper, found an article including the CEO’s fraternity, and downloaded a photo from the school’s archive of the fraternity for the years while the CEO attended college. With names off of the picture, the cyber-criminal then created a fictitious Gmail and Facebook account, and forwarded the ‘picture’ file to the target CEO. The fraudster bragged to authorities that it took him less than one hour to do this, and within a day, the CEO had opened the file.
The file gave the fraudster access to the CEO’s company email and passwords. Then, using the CEO’s email he sent an email to the treasurer which said “Read this and get back to me immediately”- that file held the malware for the banking system, the third step. The treasurer opened the email immediately- just as the fraudster expected. How many of us would react in a similar way? This led to the fourth step, the banking credentials were siphoned.
There are several more steps, but the fact is, the CEO opened the door himself through poor practices. The company spent millions on IT security effectively padlocking the doors, but the CEO opened the windows!
How many times have we been told “Don’t open emails from people that we don’t know”. Well, fraudsters know that as well. How many DHL direct emails have you received about the package that couldn’t be delivered? Or notices from American Express, or a major bank (some which you do not even bank with) sending you urgent emails.
I know a seasoned executive who has not only infected his computer once through these scams, but more than once! I asked him ‘did you have a package with DHL?’ and he answered “No! That’s why I wanted to know what wasn’t delivered’!
Fraudsters know this behavior and expect it – no, depend on it – to implement their fraud. Now imagine this scenario at one of your suppliers; no matter how sophisticated your organization may be, your suppliers and business partners, and their families may be leaving the windows open.
How are the controls at your company? OK, now how good are they at your suppliers? And their suppliers?
Here are 5 things that you can do today to help protect you and your company from these cyber-attacks:
- You have to assume that there will be a breach. As such, limit the ability of companies to have access to your key systems.
- Insist that not only does your company carry Cyber Fraud insurance, but insist that anyone who conducts electronic business with you has insurance as well. Ask for a certificate of insurance with appropriate limits.
- Insist on passwords be at least 12 characters and include numbers, upper and lower case as well as characters. And change these passwords frequently.
- Conduct effective and frequent fraud training of your family, and company associates in the areas of cyber security. Yes, I said your family! Your kids or elderly parents can infect your computer as easily as you can. Email me at [email protected] and I can share with you how I do this! It’s fun and easy!!
- Test your systems and your suppliers system. Use a data breach firm to conduct vulnerability assessments. Use a firm which specializes in this area. Consult a Certified Fraud Examiner and they can help you find reputable firms.
Don’t lock your door and leave the windows open! Understand and prepare for your next cyber-attack. If you want a fraud assessment for your business, feel free to contact me.
“What should we do now?” “What should we say?”