Cyber theft is a constant threat to everyone, no matter who they are, as long as they have an Internet presence. The results of being phished or having your identity stolen can be devastating for an individual. It can be even more costly for a title company, which is responsible for protecting not only the business, but its employees and customers.
And cyber criminals are smart. As soon as companies and individuals find a way to protect against one malware software or one phishing scheme, the fraudsters come up with another. This is why it’s important to stay as up-to-date as possible about the latest schemes and how to protect yourself and your company against them. During a recent webinar from October Research LLC, two cyber security experts informed participants about the latest threats and the best ways to guard against them.
Coming after you
During the webinar, David Jevans, founder, chairman and chief technology officer of Marble Security, pointed out a recent news item, in which an escrow firm shut down after being the victim of cyber theft. The perpetrators walked away with $1.5 million. Jevans has also heard of other recent cyber theft schemes pilfering money from the escrow accounts of unsuspecting title and escrow agents.
According to a report from the Financial Services Information Sharing and Analysis Center, criminals go after customers with lots of cash, a small IT infrastructure and few controls. At the top of the list of targets are title and escrow companies, followed by government contractors, municipalities, school districts and other small businesses.
The main way money is stolen, Jevans said, is through account takeover, where criminals take control of online financial services accounts and move large amounts of money off shore. Once out of the country, the money is not reimbursable.
“You and I as consumers, when we go to the store and use our credit cards, if the credit cards get stolen or hacked, or we get a phishing email when we type our credit card online and someone starts using it, we are generally not liable because we are protected by Regulation E and Regulation Z,” he said. “[These] are federal regulations that protect consumers so that if we experience fraud, generally banks are obligated by the federal government to reimburse us for those fraudulent transactions.
“However, for businesses like ours, we do not have any of those statutory protections,” Jevans continued. “If, as a business, our account gets taken over, if our computers inside of our companies get infected with malicious code that allows attackers to get in and start moving money out of our accounts, we are not protected. There is no federal protection law at all, which basically means that protecting ourselves is up to us. We need to have strong protections on our computers, on our networks and on our online banking sites to prevent the bad guys from taking over our accounts.”
How they do it
According to Jevans, there are nine key ways cyber attackers can hack into title company computer systems:
- Malware, Trojans, Zero-day Attacks — This is malicious software designed specifically for financial crimes. Jevans said there are more than 100 million different pieces of malicious software out on the Internet right now. “The reason there are so many is because this is how the bad guys defeat anti-virus software,” he said, emphasizing the need for all attendees to have good, paid anti-virus software from a reputable company. But he warned that this still might not be enough. “The fact remains that even with the latest updated antivirus, bad guys are still able to put malicious code on your computers because they are generating tens of millions of different ones a year, which means antivirus can’t keep up,” Jevans said. “So while it’s important to have, recognize that antivirus can only protect you from between 80 and 90 percent of the malicious code, and between 10 and 20 percent of it can sneak past antivirus and get onto users’ computers without anyone being able to detect it.”
- Key loggers — These are invisible pieces of software that get installed on a computer. They track everything that you type, and track usernames and passwords to online banking, payment systems and other secure computer systems. The software sends the information to the thieves, who use it to hack into the internal computer systems, Jevans said.
- Compromised Wi-Fi hotpots — Jevans said this has become increasingly prevalent as more and more people work remotely. There is no guaranty of security when you are using a WiFi hotspot in a Starbucks or at an airport, he said.
- Poisoned DNS — These attack the core infrastructure of the Internet which turns the location name, such as mybank.com, into the numbers the Internet uses to route to it. The hackers use it to change the numbers to re-direct the victim to the attacker’s website.
- Malicious and privacy leaking apps — “If you are allowing people to access your online banking or your internal systems from their own devices, know that there are apps out there that may be on the app store that are not necessarily malicious, but might do things that you don’t want, like uploading all of your address book information onto the Internet,” Jevans said. “If you think about that, that address book information might contain all of the information, including email addresses, phone numbers and names of everybody that you work with. And that makes you a prime target for spear phishing and other targeting, because if that data is sitting on the Internet, I guarantee some hacker is going to get it at some point and now they know you are a title company, where you are and how to target individual users.”
- Jail broken and rooted devices — “Many of us think that our androids and iPads are very secure and in general they are, but if they get jail broken or rooted — which allows you to install software from anywhere, not just the app store — you’ve lost all security controls and those devises are very, very vulnerable,” Jevans said.
- Un-patched OS Versions — Jevans also said it is important to keep computers updated with the latest versions of the computer operating system. There are more security controls in the newer versions of the operating systems. Gregory McDonald, chief executive officer and founder of Cloudstar Consulting Corp., noted that Windows XP users will be particularly vulnerable as of April 9, 2014, because at that time, Microsoft will no longer provide security support for Windows XP.
- Spear-Phishing— The hacker sends targeted emails to employees pretending to be from the company’s IT security system or the bank to lure people into providing their usernames and passwords, which the criminal then uses to get into the company’s system.
- Advanced Persistent Threats — Otherwise known as APTs, these threats happen when criminals target a company and its employees by investigating on LinkedIn, Facebook, etc. “You might think, why would they target me and my small company?” Jevans said. “But this is where the money is. If they can make $500,000, they are going to target you for six months. And they’ll be targeting 30 or 40 other companies at the same time. They only need one to make that $500,000 and then they are good. They don’t have to work for the rest of the year or for two years.”
Jevans and McDonald noted that there is an entire underground cybercrime market and that it doesn’t take a lot of skill to execute one of these cyber fraud schemes.
“These people do not have to be programmers; they don’t have to be cyber experts; they don’t have to have a Ph.D in programing,” Jevans said. “They can go onto these online marketplaces and buy software to target you, and buy all the pieces that they want for a few thousand dollars to start creating fraud against you that can [cost you] hundreds of thousands or millions of dollars. There is an entire community out there doing it.”
“It doesn’t always need to be a criminal overseas. It’s not hard to download and install [software],” he said. “Maybe they don’t know what they are doing, but we can all point and click and we can enter into a company’s website, have those password hashes and run some more tools and before you know it, you are stealing money.”
After analyzing current threats, McDonald walked participants through ways to protect themselves. He started by talking about password security.
“More often than not, what I see when I’m out in the field are passwords that are the child’s first name, or your pet’s name is always a favorite,” he said. “So you have a pet and his name is Rover, its Rover1. So a little bit of research on Facebook and [the hacker] is going to get that person’s pet’s name, that child’s name or spouse’s name or things like that. So it’s really important to make sure you have strong passwords.”
He noted that cracking passwords is easy to do. Criminals can go on the Internet and Google “WindowsXP password cracker” or “Windows 7 password cracker” and find free tools to crack someone’s password and break into the computer system.
McDonald said having a secure password means having one with a minimum of eight characters, capital letters, lowercase letters, and alternative characters like the pound sign or exclamation point. It is important that each password is unique.
“I’m sure everyone on this webinar has 50, 60, 70 different places we log into and who wants to manage all these passwords? It’s a chore, right?” he said. “But if you think about it, in the physical world, you wouldn’t use the same key for your car as your house. You wouldn’t use the same key for your house as your safety deposit box. You wouldn’t use your safety deposit box key for anything else you would lock up. … so in the real world, we have different keys for different doors and it should be the same way online. We need to use separate passwords, complex passwords and do our best so when folks go to pwaudit.com after a server has been breached, it becomes a hard task for them
It is also important for those in charge of escrow to have an office with a locked door.
“We are talking about cyber security and malware software, but sometimes simply locking a door is a really good thing to do if you have a workstation with permissions to go in and disburse funds within your settlement services software or use that work station for wire transfers,” McDonald said.
McDonald also advised attendees to make sure company computers are encrypted. He said there is free software out there that, once installed, will protect the information on the computer if the computer itself is stolen.
“It’s really important because one of the things we forget about is the old fashioned smash and grab,” he said. “These criminals are targeting companies they know have access to the dollar amounts we have in this industry. Break a window, take a computer, go through the computer.”
In addition, McDonald emphasized the importance of performing updates on your operating system and software.
“They are not fun. I don’t think they are fun. The computer usually needs to reboot and I don’t have time for that,” he said. “But, it’s a decision that needs to be taken seriously and that needs to be done in order to safeguard your future, your company’s reputation and the money that is in your escrow account.”