Tesco Bank, the British retail bank run by the UK’s largest supermarket chain, lost approximately 2.5 million pounds this month after hackers broke into the accounts of more than 9,000 customers. The bank has pledged to reimburse customers who lost money and ultimately decided to suspend online banking for all of its 136,000 customers. Spokespeople claimed that personal data had not been compromised in the hack and that customers do not need to change their passwords, yet the sheer scope of the attack has made security experts uneasy.

The company first caught on to the breach on Saturday, November 5, and immediately began texting customers who had been affected. Many customers saw their money being moved out of Tesco accounts via overseas transactions to Spain and Brazil. Although there was initial concern that the hack was an inside job, aided by a bank employee, it is now being marked up to general human error and a failure to create a truly secure system.

This attack represents a major modern shift in cybercrime, from attacking individual customers to attacking an entire bank in one go. Perhaps the most troubling discovery in the wake of the hack was that Tesco had been warned by the security firms CyberInt and Codified Security about the weaknesses in its system, which the company did not respond to. No company can be expected to track every spam email about cybersecurity that floods its inbox, but in this case, if the reports from Codified Security truly were purposefully ignored, it reveals a dangerously cavalier attitude toward cybersecurity at the Tesco Bank headquarters.

Defenders of the bank have argued that the hack was successful because it took place during the weekend, when the technical staff were not at their desks, responding to customer reports and warning signs like they would during the work week. Regardless of the timing of the attack, the amount of money shifted from customer accounts is disturbing, especially as it is only the latest in a string of high profile hacks this year. Almost two years ago, the Bank of England highlighted cybercrime in the meetings of its financial policy committee, noting that banks were woefully unprepared for large scale attacks on their databases, but that warning came and went with very little impact.

It is not only smaller, less conventional banks like Tesco that have been targeted: in January of this year, HSBC shut down its mobile banking platform after a distributed denial of service attack. Tesco Bank is a relative mom and pop bank compared to the global behemoth that is HSBC, which explains why it did not have the same early warning notifications and success that HSBC did when shutting down the January hack. No bank, either electronic or brick and mortar, is definitively safe but when hundreds of accounts are being attacked, there is a clear issue with security. Tesco Bank will take a major hit in the wake of the attack but rather than lying back and celebrating the decline of a competitor, other UK banks–and banks around the globe–should be rushing to their own cybersecurity teams to repair the weaknesses that could be exploited in the next great hack.

Jillian Sequeira

Jillian Sequeira was a member of the College of William and Mary Class of 2016, with a double major in Government and Italian. When she’s not blogging, she’s photographing graffiti around the world and worshiping at the altar of Elon Musk and all things Tesla. Contact Jillian at Staff@LawStreetMedia.com

The post Startling Holes in Our Cybersecurity Network: The Tesco Bank Hack appeared first on Law Street.

America is dealing with a hacking crisis. It seems that every other day we are bombarded with the latest hacking stories from both the private and public sectors. We are told to be cautious with all of our online activity and to remember all uploaded material remains in cyberspace forever. Almost all of us personally know someone who has dealt with identity theft and all the hassles that ensue. Some of the biggest companies in the world with the means to access the most anti-hacking software available aren’t immune to the problem. Even the national government recently made headlines concerning Chinese cyber attacks. So what can be done? In his 2015 State of the Union, President Obama addressed cybercrime. The Obama administration proposed new legislation and amendments to the Computer Fraud and Abuse Act. Will these proposals better protect Americans from hackers?

Case Study: Ashley Madison

Just last week, a new team of hackers were at it again. People are already discreet about dating websites and apps. A level of anonymity is essential for a high volume of users. This is even truer when a dating website revolves around married men and women cheating. Ashley Madison’s slogan is “Life is short. Have an affair.” Some may chalk it up to karma, but the invasion of privacy for these members is real.

The hackers call themselves “The Impact Team.” According to Brian Krebs, the blogger who initially reported the hack, they threatened to release stolen information unless the website shut down entirely. Apparently, the team gathered users’ nude photos, sexual fantasies, names, and credit card information. It also claims to have addresses from credit card transactions.

Members of the website can post basic information and use limited features without charge. The company rakes in money when members exchange messages, photographs, and gifts. The website even offers a feature to “collect gifts” for women to send and men to pay for later. The website also has a $19 deactivation fee. This happens to be one of the major qualms of the hacker team, who claim that information is never truly deleted from the website. The hackers’ manifesto published by Krebs stated, “Full Delete netted $1.7 million in revenue in 2014. It’s also a complete lie…Users almost always pay with credit card; their purchase details are not removed as promised, and include real names and address, which is of course the most important information the users want removed.”

Ashley Madison boasts over 37 million members, making it the second largest dating website in the world, second to Match.com. Ashley Madison’s parent company, Avid Life Media, values itself at $1 billion and was looking to go public on the London market this year. Ashley Madison has done away with the deactivation fee, but has yet to comment on whether or not it will shut down.

Although the majority of people aren’t online dating in order to have an affair, the hack embodies everything scary about online interactions. Personal information and discreet activities on websites or social media applications can be made public in the blink of an eye. Just this past March, 3.5 million AdultFriendFinder users were hacked. The hackers exposed email addresses, usernames and passwords, birthdays, zip codes, and sexual preferences. Overall, the trend doesn’t look good.

Hacking Statistics

Verizon Data Breach Investigations Report

Verizon conducts an annual Data Breach Investigations Report (DBIR). The latest report shows that 96 percent of online security incidents fall into nine patterns: “miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial-of-service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.” The 2015 report investigates more than 2,100 data breaches and roughly 80,000 reported security incidents. Over 70 organizations around the world help contribute to the report.

The 2015 DBIA reports a $400 million loss from approximately 700 million compromised records in 61 countries. The report shows that in 70 percent of the cases where the hacker’s motivation is known, there is a secondary victim. This is exemplified in the Ashley Madison case. Although the hackers are targeting the owners of the company, the users are violated as well. And in 60 percent of cases, hackers are able to infiltrate a company in a matter of minutes. The time of discovery falls significantly below that level.

The method of tricking people into divulging their information, like credit card numbers, is still around but is a much less effective method. Now, phishing campaigns are a primary source of attacks. A hacker usually phishes by sending an email with malware, usually included as an attachment. Today 23 percent of recipients open these types of email and 11 percent open the attachments. For over two years, more than two-thirds of cyber-espionage included phishing.

In more uplifting news, malware on cellphones doesn’t even account for 1 percent of the problem. Mobile devices are not the preferred medium for data breaches. Only about 0.03 percent of cell phones contained malicious materials.

U.S. Companies Hacked

According to a study conducted by the Ponemon Institute, the financial loss by cybercrime doubled from 2013 to 2014. Retailers lost approximately $8.6 billion in 2014 due to cyber crime. Furthermore, successful cyber attacks resulted in a $20.8 million loss in financial services, $14.5 million loss in the technology sector, and $12.7 million loss in the communications industries.

Last year was plagued by cyber attacks. In January, Target announced 70 million customers had contact information compromised, while 40 million customers had credit and debit card information compromised. In the same month, Neiman Marcus announced that 350,000 customers had credit card information stolen, resulting in fraudulent charges on 9,000 customers’ credits cards. In April, an AT&T worker hacked the system for two weeks and accessed personal information including social security numbers. In May, EBay asked all its customers to switch their passwords after a cyber attack accessed over 233 million EBay customers’ personal information. In August, over 60 UPS stores around the country were hacked, compromising financial data. The list continues…

The Computer Fraud and Abuse Act

In order to combat these cyber attacks, Congress passed the 1986 Computer Fraud and Abuse Act (CFAA). The act made accessing a protected computer a federal crime. Although it was initially established to protect government organizations and a few financial institutions, over the course of time, it eventually broadened. It was first amended in 1994 to allow private citizens to file civil suits against cyber attacks that resulted in loss or damages. It was again broadened in 1996 to encompass any computer used in interstate commerce. After 9/11, the Patriot Act amended the CFAA to permit the search and seizure of records from any Internet Service Providers (ISPs). Later in 2008, the CFAA was again amended to allow companies to file suits when the loss and/or damages did not surpass $5,000.

The CFAA has been subject to its fair share of criticism. Many believe the act to be too broad in scope. Opponents argue that computer policies are often “vague, confusing and arbitrary,” and breaking these policies shouldn’t be a federal violation. Institutions, like the Center for Democracy & Technology, Americans for Tax Reform, the Competitive Enterprise Institute, and the American Civil Liberties Union all have advocate against the CFFA.

The Ninth Circuit Court of Appeals agreed. In a 2012 case, United States vs. Nosal, the court ruled that “a person who violates an employer’s computer use policy is not criminally liable for federal penalties under the Act.” The court argued that the law was not enacted to federally punish smaller crimes. However, a strong dissent left the issue controversial, if not unresolved. The definition of “exceeds authorized access” left ample room for a Supreme Court review. The crime only becomes a felony if it is executed for profit, the gained information is worth over $5,000, and/or the act is committed to further a state or federal crime.

The White House’s New Proposals

The Cyber Security Legislative Proposals aim to enhance cybersecurity information sharing between the private sector and government, modernize law enforcement authorities to combat cyber crime with the appropriate tools and training, and streamline national data breach reporting requirements. Last December President Obama announced,

In this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector. Now, our first order of business is making sure that we do everything to harden sites and prevent those kinds of attacks from taking place…But even as we get better, the hackers are going to get better, too. Some of them are going to be state actors; some of them are going to be non-state actors. All of them are going to be sophisticated and many of them can do some damage.

A main target of the proposal is a number of amendments to the already-controversial CFAA. First, the proposal would increase the penalty for “circumventing technical access barriers,” i.e. hacking into a computer by sidestepping security or guessing another’s password. Violators under the current law risk a misdemeanor to a three-year felony. The proposal advocates punishment to start as a three-year felony and maximize as a ten-year felony.

Second, for contract-based crimes, the proposal would officially end the aforementioned circuit split. It states that breaking written policies would be a federal crime and officially defines “exceeds authorized access.” A person would exceed authorized access if he or she accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” Technically, this would include using a work computer for personal activities like Facebook; however, the government would limit criminal liability by requiring the violation fall under one of three conditions: the breach happened on a government computer, the breach results in over $5,000 worth of information, or “if the user violated the written condition in furtherance of a state or federal felony crime.” These changes, along with a variety of others, make up the administration’s proposal.

Conclusion

Whether these proposals will pass through Congress remains to be seen. Broadening the scope of hacking to allow more crimes to fall under federal jurisdiction has traditionally lacked support from the body. The proposals are controversial, with a lot of personal information and accessibility at stake. It will be interesting to see the reaction from the public if these proposals are enacted. Cyber crime is an ongoing problem that affects all citizens, regardless of demographics, and only seems to be exploding. If this isn’t the answer, then what is?

Resources

Primary

White House: Updated Administration Proposal

Additional

Verizon: The 2015 DBIR

CNN Money: Hackers threaten to release names from adultery website

The Heritage Foundation: Cyber Attacks on U.S. Companies in 2014

Jolt Digest: United States vs. Nosal

Tech Target: What is the Computer Fraud and Abuse Act?

The Washington Post: Obama’s proposed changes to the computer hacking statute

The White House: Securing Cyberspace

Verizon: Verizon 2015 Data Breach Investigations Report Finds Cyberthreats Are Increasing in Sophistication

Jessica McLaughlin

Jessica McLaughlin is a graduate of the University of Maryland with a degree in English Literature and Spanish. She works in the publishing industry and recently moved back to the DC area after living in NYC. Contact Jessica at staff@LawStreetMedia.com.

The post Combatting Cyber Attacks: Will Congress Adopt Obama’s Plans? appeared first on Law Street.

Last Thursday, United States officials revealed that they believe Chinese hackers were responsible for the May cyber attacks on U.S. federal agencies. The attacks compromised the personal information of more than four million current and former government workers. China responded by dismissing such accusations as “groundless” and “irresponsible,” stopping just short of ensuring that China does not condone cyber attacks. “We are very firm on this,” said China’s Foreign Ministry Spokesman Hong Lei. This is just the latest incident in a back-and-forth saga between the U.S. and China when it comes to cyber crimes.

Lei’s statement may not have been completely truthful. In May 2014, Lei released a similar response to the Justice Department’s indictment of five Chinese hackers for cyber crimes against five U.S. companies and a labor union in the steel, solar, and nuclear-power industries. According to the Guardian, “China’s foreign ministry called the allegations preposterous and accused the U.S. of double standards.” But the accused in the 2014 case were members of China’s People’s Liberation Army. In other words, their attacks do represent China engaging the United States. It is evident that the U.S. must take a firm stand against China’s aggression. Nevertheless, there are numerous challenges and implications to consider on that front.

For one, China’s assertion that the U.S. resentment of Chinese attacks represents a double standard is justified. Edward Snowden’s release of NSA files unveiled a surveillance program that spanned numerous countries, including China. In March of last year, Snowden leaked another document exposing the NSA’s penetration into the networks of Chinese telecommunications giant Huawei Technologies in search of evidence that the company was involved in espionage operations for Beijing. This complicates how far the U.S. can go to condemn China’s actions in the cyber sphere.

The potential costs of engaging China in cyber warfare are massive. Cyber attacks can threaten the control systems of dams, water-treatment plants, and power grids, compromise sensitive information stored on government networks, and access video surveillance cameras. Electronic door locks, elevators, and even life-sustaining medical devices are vulnerable to cyber attacks. While the U.S. rarely has to worry about war in its territory, in the cyber realm, physical boundaries are irrelevant. The statistics regarding the cost of cyber crimes are staggering. The Center for Strategic and International Studies estimates the annual cost of cybercrime and economic espionage to the world economy at $375-575 billion. Telecommunications giant IBM claims that there were 1.5 million monitored cyber attacks in the United States in 2013 alone. In a “60 Minutes” interview, FBI Director James Comey said, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”

Political action is fraught with challenges, too. China, with its massive population and rapidly developing economy, lends itself to lucrative opportunities for American corporations. Consequently, the Chinese and U.S. economies are closely intertwined. According to the CIA World Factbook, China ships 17 percent of its exports to the U.S. and is the largest foreign holder of U.S. Treasury bills, bonds, and notes. So, the government response to Chinese cyber attacks cannot deter China from doing business with American corporations. Germany’s cancellation of its longstanding contract with Verizon following Snowden’s NSA leaks serves as a cautionary tale, and the fact that most major Chinese corporations are government owned only further complicates the issue.

So, the U.S. government is left with few options. One thing it can do is encourage the development of cyber technology. The government should support programs such as the DARPA Cyber Grand Challenge, a competition aimed towards creating an automated cyber defense system, and incentivize the best cyber experts to work with the government by providing resources and appropriate compensation.

More importantly, the government needs to send the message that attacks on American networks will not be tolerated. This could mean under-the-table threats of retaliation to avoid negative media attention. Fear of retaliation should deter Chinese attacks, and if attacks persist, the government can deny visas to Chinese citizens, limit military ties, or implement economic sanctions. It is important to keep the campaign low-key and ensure that economic sanctions do not incite an aggressive Chinese response.

Examples of the United States asserting itself following a breach of security are littered throughout history; the U.S. defeat of Japan following Pearl Harbor and the assassination of Osama bin Laden following 9/11 demonstrated that we are not afraid to track down and engage our enemies. It is time to assert our status as the world’s leading superpower once again.

Hyunjae Ham

Hyunjae Ham is a member of the University of Maryland Class of 2015 and a Law Street Media Fellow for the Summer of 2015. Contact Hyunjae at staff@LawStreetMedia.com.

The post The U.S. Needs to Take a Firm Stand Against China on Cyber Attacks appeared first on Law Street.