Cryptocurrency Fraud , Cybercrime , Fraud Management & Cybercrime
ISMG Editors: Verizon's DBIR Reveals Surge in BEC Scams
Also; Security Challenges in APAC; SEC Gets Tough With Binance and Coinbase Anna Delaney (annamadeline) • June 9, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including highlights from Verizon's 16th annual Data Breach Investigations Report, what's on the mind of CISOs in Malaysia and the Philippines, and how the U.S. SEC sued crypto trading platforms Binance and Coinbase over securities violations.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Rashmi Ramesh, senior subeditor, global news desk; and Suparna Goswami, associate editor, ISMG Asia - discuss:
- Highlights from Verizon's 2023 Data Breach Investigations Report, which reveals that the most prevalent attacker tactics or tools involved in data breaches, when known, were stolen credentials, followed by ransomware, social engineering and vulnerability exploits;
- Key takeaways from conversations with security leaders at ISMG events in the APAC region;
- How the Biden administration stepped up regulatory enforcement against cryptocurrency trading platforms this week in consecutive lawsuits targeting Binance and Coinbase for alleged violations of securities laws.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 26 edition on how Ukraine's defenders prepared for war and the June 2 edition on why communication skills matter for CISOs.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Hello! Thanks for joining us for the weekly edition of the ISMG Editors' Panel. I'm Anna Delaney, and this is where members of the editorial team examine some of the top cybersecurity and information security news stories of the week. I'm very pleased to be joined today by Suparna Goswami, associate editor at ISMG Asia; Rashmi Ramesh, senior sub editor for ISMG's Global News Desk; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Mat, Verizon's 16th annual Data Breach Investigations Report was published this week. This is Verizon's yearly gauge on how we're doing as an industry and how we're preparing for and responding to incidents and breaches. Some things never seem to change, but what was particularly new or different for you this year?
Mathew Schwartz: The 16th annual Data Breach Report, we've been in this data breach thing for a long time now, and data breaches aren't going away. What is really useful with reports like Verizon's is getting a sense of when data breaches happen? How they are happening? It's not a look at every breach, but there are different organizations involved who are feeding data to Verizon about what they've seen based on the incidents they've helped investigate or - in the case of the FBI and its IC3 - incidents that had been reported to it. Any time we're talking about breaches or ransomware, we don't know the complete picture, but it's great to have reports like this that give us some perspective on what's happening. A lot of times, it's tactics that we have been seeing. Stolen credentials is the most-seen tactic that leads to a data breach. After stolen credentials, it was ransomware, which won't surprise anybody. After that social engineering, and after that exploiting vulnerabilities. Let's pick social engineering, for example, what's been happening in the recent past? Recent past because this is the 2023 report, but it's the 12 months up until near the end of 2022. In the report's timeframe, business email compromise attacks had nearly doubled, and comprise about half of all social-engineering attacks. One quarter of all the breaches analyzed for this report had involved ransomware. Social engineering and ransomware are two things you need to be defending against. Another interesting finding was that three quarters of the breaches, 74%, traced to some type of human element. Human error or valid credentials that have been misused - could be by an insider or by external attackers who got access to them because they were able to trick someone into divulging them. The final point I would make is insider versus external attackers. The vast majority of incidents that they were tracing, investigating or heard about involved external attackers; 83% of these incidents involved external attackers. That leaves some that were insiders - not always malicious insiders - but if they're coming to get you, it's from outside. Additionally, 97% of all the breaches they investigated appeared to have a financial motive as opposed to a driver such as espionage. Some of the takeaways from this are that if stolen credentials are most likely to get you, then what could you be doing better to battle this eventuality? Furthermore, this year's report has a call-to-arms from Jen Easterly, the director of the Cybersecurity Infrastructure and Security Agency, CISA, in the United States. The takeaways for her are that everybody should be using multi-factor authentication, especially on really high-value accounts, administrator accounts, for example. We have seen that organizations that do this, even when they get their credentials swiped, they stop attackers dead in their tracks because they can't use the credentials as they're being protected by really strong MFA. MFA is not bulletproof, but it is a huge help. The next step is for CISOs to say, "how do we apply this?" "How do we strengthen ourselves based on what are the current attacker tactics, techniques and procedures?"
Delaney: Mat, as someone who's followed the report for years, were there any surprises this year?
Schwartz: I've written reports like this in the past, and you need to find interesting and innovative new ways of not saying the exact same thing, and trying to take what is not fundamentally different from what you said the year before, or the year before that, and serving it up in a more interesting way. I will say, nothing in here surprised me. Is it useful? Yes! It's useful for giving us a barometer of where things are at. It's useful that the director of CSIA is saying you've heard all this? Where do we go from here? She's saying we need to do better, we know all these things, how do we do better? In that respect, I think it's helpful. If you've been out of the data breach picture for a little while, and you're punching back in, it's helpful. How this also might help people is that not all ransomware events that got reported to Verizon for the report ended up costing people money. The report also tracks security incidents. That would include things that got stopped dead in their tracks. When there was a ransomware incident, and a company reported that it did end up costing them money - incident response being the most likely cause - and they did see that costs had doubled. Here you've got a real call-to-arms; the more you prepare, the more you can drive that cost down, if you don't catch ransomware outright. You can keep those incident response costs contained if you've got a good plan, if you've got experts on tap who can come in and help you quickly, and if you've practiced it with all the people who need to be practicing it. Not things we've heard before, but definitely useful reminders as we face down the continuing scourge of data breaches, including ransomware.
Suparna Goswami: You said that social engineering is above ransomware. The U.K. government is planning to come out with its anti-fraud strategy, where - since a lot of scams are driven by social media - it says that "why don't we make these social media companies, especially Meta, accountable?" What is your view on that? Do you think that will help and will bring in more accountability?
Schwartz: In the data breaches they looked at, ransomware was trending ahead of social engineering. However, that doesn't correlate with total losses because the FBI, in the past, has said business email compromise attacks are stealing a vast amount more - than we know of - than ransomware. It's volume might be lower, but the damage is higher. Holding social media companies to account is a good goal. We've seen this, for example, with the unfortunate area of child sexual abuse material: attempting to hold these social media firms to account or ensuring they've got better processes and practices to combat this horribleness, is it going to be the end all be all? No. Social engineering is trickery; it's you and I having a conversation, and me warping it for my nefarious purposes. There's no technological way to stop innovative people using our communications tools against us.
Goswami: Tracing back to - just to put in practicality - when did we start having the conversation? At what point in time did I ask you to transfer an amount to me? Tracing back all that conversation, which starts on social media, will somehow lead to a WhatsApp chat? Tracing all that will be challenging.
Schwartz: It's challenging because that happens on our smartphone or in our browser, or via other approaches. Banks in the U.K. have been required - the big ones - to put more controls in place, and you get checks and prompts now if you're transferring money: Why are you doing this? If it turns out that you're doing it, and we've alerted you that this could be a fraud, and you do it anyway, you might lose your money. That has helped drive things down to that point of where the money changes hands. That's been helpful. Hopefully, with social media, that would be helpful as well. However, I don't think it's going to catch everything.
Delaney: Excellent analysis, Mat! Suparna, you've been traveling the globe, from Malaysia to the Philippines, recently. Tell us first about the Fraud Summit in Malaysia. What were the main takeaways?
Goswami: Thanks, Anna. I participated in an anti-fraud summit, which took place in Malaysia. I cover more of North America, as far as fraud is concerned, so it was good that, for a change, I was covering the Southeast Asia market for fraud. There were many similarities in account opening fraud. By the end of the year, Malaysia will give licenses to five banks that can operate as digital-only banks. How will they ensure better KYC process? Do we need to rethink about the authentication process? Or will the new authentication tools used in traditional banks work? These are questions that were being spoken about; let us wait and watch this space. This will be an exciting space to cover later this year. AML: I equate this with the ransomware problem in the cybersecurity space. Every bank in the world is dealing with this, and fraud and AML continue to operate separately. That was spoken about, but when I was speaking with the AML person he said "no, this is a fraud problem; AML is a different team." Though on stage, he said that AML and fraud need to work together, but in practice, they work in a siloed manner. That is something that I've heard in the U.S. as well, so a very common theme. Synthetic ID fraud: Southeast Asian banks are one of the most targeted sectors in the world accounted for the large section of synthetic ID frauds. India is the most targeted country followed by Romaina, where fraudsters target national ID cards to create fake or synthetic IDs. Another was a lack of use of data analytics. Lots of discussions were around data analytics, and how banks barely make use of these data. Currently, because of strict regulation on data usage, sharing amongst each other continues to be a problem - the same as in the U.S. However, Singapore government has given out a mandate to the banks that they can share data amongst each other. Singapore has taken the lead here, hopefully Malaysia and the countries will follow suit. However, there are some similarities, there are differences as well. I've mentioned that before in a discussion, but credit card fraud in APAC is really less. I heard of banks in Singapore, to some extent, talking about it, but others in Philippines and Malaysia, were not talking about credit card fraud, which was much less than APAC. Faster Payment fraud: Faster Payments is not so much of a concern for banks here as much as it is in the U.S. I reckon the general maturity in APAC for Faster Payments is higher because we skipped the credit card phase altogether. It was only for a few years, but we skipped that. These were the takeaways for me as far as the Fraud Summit is concerned.
Delaney: Then you were in the Philippines moderating a Round Table. What was top-of-mind for CISOs there?
Goswami: I did take the opportunity to meet practitioners in Philippines and Malaysia. Of the top topics that were in their mind, number one was privacy. I've mentioned this before, but privacy is a very hot topic across Southeast Asian countries. While Singapore already has a very strong privacy law, Malaysia and Philippines are looking to revamp their law - because their laws came out before GDPR - to make it more relevant. Indonesia came out with one last year, Sri Lanka came out with one last year, and India is trying to come up with one this year; lot of discussion around this. A few of the regulators I spoke with, in Philippines, said that they are looking to have a common privacy law for Asia, like in Europe. I don't know how much it will work out? How many years it will take? However, discussions have started that why not? Why can't Asia have its own privacy law? Then, another important topic, which I thought is top-of-the minds, was that digital-only banks are coming up in APAC. As I mentioned, Malaysia, this year, will see five digital-only banks, the essential bank - Bank Negara - will probably give licenses to these banks. Similar is the case in Philippines, many digital-only banks are coming up. It's an even interesting space to follow how these new-age banks will deal with security issues. Additionally, 5G in Malaysia; the entire discussion was that they have gone ahead and a large section of the population - more than 50%, I think, 70% - have 5G coverage. There are multiple 5G security stories we can explore, and I'm already working on it. Because 4G and 3G will not go, how 4G will continue to work with 5G? The security issues with 4G and 3G will continue, so how will you deal with that? Because in 5G, the security is more or less in-built, but in 4G and 3G it's not in-built. How will you balance both? Lots of interesting stories that I can explore for the rest of the year.
Delaney: That reminds me of the Verizon report because as Mat said, they found that most of these crimes are financially motivated. However, when you're looking at espionage, they saw more activity in that space in the APAC region. Was that top-of-mind? Particularly, as you said you're looking at 5G, were they talking about espionage? Is that is that a concern right now?
Goswami: They were not talking so much about espionage right now, at least in Malaysia. In Philippines, 5G has not reached that kind of maturity, but in Malaysia, it was about how do you just balance the IoT security? Everything is so layered, how do you bring in zero trust in 5G? What are the various ways? What do you do about 2G and 3G and 4G? How do you eventually phase those out? You will reach 6G someday; how will you eventually phase out 3G and 2G? What are the various ways you can do that? The discussion was more on that rather than espionage. However, I'll explore that as well; I've not spoken to them on that.
Delaney: Lots of interesting stuff there. Thank you so much, Suparna. Rashmi, you follow the digital assets regulatory landscape globally, and what's happening in the U.S. space at the moment? What's taken your interest?
Rashmi Ramesh: The SEC sued two of the biggest players in the crypto space - Coinbase and Binance - because they allegedly violated securities law. However, why is the SEC suing them? Additionally, didn't the CFTC file charges a few months ago as well? The question is who regulates what in the digital asset space in the U.S.? The short confusing answer is "no one and everyone." The long confusing answer is "it depends on what you think crypto assets are." Are they securities? Are they a commodity? Depending on that, the SEC and the CFTC are claiming jurisdiction; for now, both seem to be targeting the same companies for similar alleged illicit activities, but separately. In the recent Binance case, the CFTC filed charges in March, and the SEC filed about 13 of them against the company and its founder on Monday. The regulatory ambiguity is one of the reasons that there's no easy conclusion in the Tornado Cash case as well. The service is a crypto mixer used by bad actors to launder stolen funds. However, it is a decentralized platform, meaning there is no central authority. Thus, who's liable? The folks who made the software or the folks who are part of the community? All of them? Then, there's the issue of OFAC's authority in sanctioning the platform. There are several arguments, even a major lawsuit that says that the sanction is a violation of privacy and freedom of speech, and that OFAC is only allowed to sanction people and property, not software, which is what Tornado Cash is. It is, allegedly, an overreach of OFAC's authority. Who does what in the U.S. with respect to digital assets is really anybody's guess. However, who benefits from this tug-of-war? Non-compliant crypto exchanges that support sanctioned Russian and North Korean threat actors, hackers, ransomware operators, cybercriminals of all sorts. At this point, it's not really a question of the U.S. doing nothing; it's a problem of everyone doing everything all at once.
Delaney: Rashmi, how does the U.S. compare with other markets? We know that the E.U. has recently brought out the Markets in Crypto-Assets Regulation, MiCA. What's your assessment of how they compare?
Ramesh: MiCA is hailed as the world's most comprehensive crypto legislation. It does make some excellent points when it comes to cybersecurity, for example, Crypto-Assets Service Providers should be liable for losses due to cyberattacks, thefts or malfunctions that occur on their platforms. It also talks about anti-money laundering provisions. Hackers have to somehow off-ramp the money they steal. There's a Travel Rule, which is the legislation's showstopper and it's already in use in traditional finance. It says that the source of an asset and its beneficiary have to travel with the transaction, and we store on both sides. It's new to crypto, so that allows law enforcement to trace crypto assets and prevent and mitigate crime. However, MiCA has its own gaps. It doesn't address D5, which is, currently, one of the more risky landscapes in the industry. Fun fact, with the SEC suing Binance and Coinbase, the trading volume in the D5 space increased to more than 400%. This is still a developing landscape with a lot of ambiguity across geographies. Eventually, here's to hoping that there's a more clear, holistic and cross-border regulation that supports innovation.
Delaney: An exciting space to report on and thank you so much! You built up my next question very nicely. Fun factoids! We're all about learning on the Editors' Panel. What is something new you've recently learned in the cyber InfoSec privacy spheres? Do share your fun factoids or surprising thoughts of the day?
Ramesh: I can start off! I've been looking at the payment space across the world. This is an opinion, for a country that is supposed to be far ahead in terms of tech, the U.S. has an unnecessarily complex and dated payment system. Systems that a country like India has had for years is only now being experimented with in the U.S. Faster Payment! Like Suparna mentioned earlier, it's been around for a bit, but people talk about it now for FedNow. Additionally, legacy technology is more challenging to secure. While the world moves on to simpler, more secure systems, the U.S. doesn't really appear to be the leader that I thought it would be in the financial innovation space.
Delaney: That's fascinating! Suparna?
Goswami: In Indonesia, OJK - the financial regulator - has mandated that all financial institutions need to have a separate person looking after security. There has been no CISO position till now; there's not a single bank in Indonesia, which has a CISO. They came up with the regulations in December, and within this month, all banks need to have a CISO. I was speaking with a few of the practitioners there, and they're like, "we are being told that you're the CISO, and suddenly, we have to handle this." However, it was really surprising to me that even now, in 2023, they didn't have a CISO and they're expected to handle the security on their own. The IT is supposed to be different; the security is supposed to be different. Until now, the IT was handling security. Now, people are being pushed, "you become the CISO," or they are asking people to come to Indonesia and be in the CISO position.
Delaney: That's incredible! That's great. Mat?
Schwartz: This week I was tuning into a European cybersecurity agency, ENISA, conference on chatbots, and the promise and the peril of AI chatbots. Fascinating panel! Lots of great experts on it! Great audience questions! One of the discussions that came out was about misinformation and how we battle the use of chatbots for misinformation. There was a guy from the Thales Group, Adrian Becue. One of the things he found fascinating is that, when we're talking about AI chatbots, there's a lot of cybersecurity stuff that we've already seen before that applies. Misinformation used to be a bit of a separate sphere. However, we're seeing it collide or come together in interesting ways when it comes to chatbots, because they're good at taking these large sets of data and serving them back to us. The challenge with misinformation is, in his words, "What is truth?" he said. He poses it almost as a political or philosophical question. When all of these language models are being analyzed and fed back to us in convincing sounding, but sometimes wrong ways; getting to the sense of what is real or not - to this discussion, that Suparna and I were having about social engineering - is in the eye of the beholder. It adds this almost philosophical level onto these - what are, currently, being modeled or seen as - cybersecurity challenges. Fascinating overlay there! No easy answers.
Delaney: Very philosophical in 2023. What is truth? That is a big question. This has been informative and fun! Thank you so much! Rashmi, Suparna and Matt!