April 2008

The National Academy of Engineering identified cybersecurity as one of the handful of major challenges facing humanity for the next 50 years. In fact, cyberattacks may undo most of the benefits of modern computing if no one stands in the criminals' way. And the key to fighting back is to treat the hackers as innovators: ill-advised, misguided, greedy, evil, bu innovators nonetheless.

Hackers succeed by keeping one step ahead of most of us. By the time we learn about phishing, they attack us with pharming. When we catch up with that, they unleash vishing. The latest outcry concerns a smart Google exploit that hunts for hidden and secret data on the Web. It's pointless to school oneself in yesterday's hack attack, because it only engenders a false sense of security, keeping us vulnerable to what comes next.

By treating hackers as innovators, one becomes the equivalent of a master chess player. An amateur chess player may craft brilliant attacks, but is likely to ignore what the opponent is planning. A professional player will pay equal attention to what either side can plan against the other. That is the key to computer security.

When you get a request for any information, however marginal, ask yourself: could that be a hacker? Hackers come to you through the Web, through your e-mail, through your phone. A few use regular mail, and even fewer knock on your door. They usually profess some emergency and offer help. They sound reassuring. They even tell you that they are here for you because there are so many hackers out there. We are all busy. We want to expedite things. And we tend to think that we are too anonymous to be targeted, too poor to be robbed, too smart to be fooled.

Hackers exploit these beliefs time and again. It's not enough to think that you never heard of a spoof like that. After all, most people never heard of vishing - a voice based attack, exploiting the indeterminacy of IP telephony. What's needed is an informed customer base ready to take on hackers move for move like master chess players.

Here are some generic tricks to pass on to your customers:

(1) Double Channeling. If you are contacted through e-mail, ask to be contracted by phone, and vice versa. Most hackers are not equipped for double-channel fraud. Banks should not mind. In fact we urge financial institutions to standardize dual channeling for important messages. Handle any pressing phonecall from a stranger by asking him to call you back in twenty minutes. Hackers can't hack that. A powerful defense is to ask the petitioner (whatever you are asked to do) to send you the request by regular mail. Because of mail-fraud laws, most hackers will not comply.

(2) Contrived Errors. Type in the wrong credit card account, the wrong expiration date, the wrong PIN. Fraudsters will thank you any way. Bona fide correspondents will ask you to re-enter.

(3) Contact Data. Don't enter any information on any site that does not have a "contact us" section. And if they do, ask a pedestrian question. Wholesale sweepers will not bother to answer.

(4) Missing Phone Numbers. Be suspicious of outfits that have automated answering machines during business hours, and these numbers don't show up on various phone directories like Switchboard and White Pages.

(5) Taking Names. Ask any phone solicitor to spell his name, give you the phone number where he can be reached, and provide a street address (not a P.O.Box) . Repeat the same question at the end of the conversation, saying you did not write it down earlier. A hacker blurting out a fake name is likely to forget or misspell it the second time around.

(6) Recording. Notify the phone petitioner that you intend to record this conversation to help combat cybercrime. The average hacker will hang up before you could say Holly Molly.

(7) Recording II. Do record unsolicited petitions. Voice patterns are a great biometric identifier.

(8) Asking Questions Ask for the geographic location of the caller. A legitimate caller will gladly identify the city where he or she is calling from. Ask about the weather-and check the answer on the spot through the Internet weather channel.

Starting next month, we will test drive an interactive module for security managers at financial institutions, processors, and merchants, challenging you with data-security scenarios. Get a head start at: www.agsgo.com/dig-trans-security.htm.