Friday, 16 December 2016

Cyber insecurity

In the new edition of my book I mention (p.25) cyber security as an example of how organizational rules are often flouted, leading to risky behaviour such as inadequate passwords or clicking on links that contain malware.

This is a microcosm of a much wider set of issues which have been brought to the fore this week with the news that Yahoo suffered a cyber-attack which may have compromised the personal data of more than a billion user accounts. This is the latest of a string of high profile cases involving companies including Tesco Bank, mobile phone company TalkTalk, and infidelity dating site Ashley Madison.

Such cases are themselves a microcosm of an even wider set of issues around online frauds and scams. Today, UK consumer groups have criticised inadequate protection against bank transfer frauds where people are conned into making payments they are expecting to make to a legitimate recipient but which are diverted to a scammer.

It is for most of us a daily experience to receive emails that purport to come from banks or other organizations (‘phishing’), or from someone in our email contact list supposedly robbed whilst abroad and in need of our funds(the ‘sad news scam’), as well as the older scam of the message about money to be transferred if the victim first transfers a smaller sum (the ‘Nigeria 419 scam’ and variants). In all cases what is being sought is money, data, or the installation of malware which will allow these to be collected, with ‘ransomware’ being an increasingly common, and nasty, version. There are also numerous scams that are initiated by phone. Common examples include the bogus call from ‘Microsoft’ leading to remote control of your computer and/or demands for money to remove viruses.

It’s easy to think that only the extremely gullible are taken in by any of these things, but some of them are very convincing and the forms they take change, so it is easy to be caught out. Moreover, as new technologies emerge, such as contactless card payments, new possibilities for theft are created. The massively increased use mobile devices also creates new scams, and the immediacy of a mobile (compared with, say, an email on your PC) makes an instant, unconsidered response that much more likely. Plus the emergent ‘internet of things’ makes cyber security even more challenging.

Like any other crime, there are a mixture of personal, corporate and regulatory issues that may offer protection from or redress for cyber-crime. I like to think (but don’t we all?) that I am reasonably savvy about cyber security, partly because I worked on a research project about it recently. But what I find irritating is how we are increasingly pushed into exposing ourselves to the risk. Personally, I have never signed up for internet banking and I never use contactless card payment, but that has become more and more difficult to sustain. Telephone, let alone branch, banking is increasingly difficult, and banks seem amazed when people refuse to bank online. In shops, I have had contactless payments taken without consent. And, beyond that, I’ve recently had a couple of experiences where my bank has contacted me on a withheld number asking for security information in order to progress queries. They were, in fact, genuine calls, but I think it would have been easy for a fraudster to mimic them.

More generally, it’s all but impossible to live off-line to any great extent nowadays, or not without a huge amount of inconvenience. But the practices of organizations capitalise on this. Every single commercial and state organizations you deal with demands personal data – often way beyond what is needed for the transaction in question. The privacy policies of these organizations are far too complex to understand, and refusing to sign up to them renders it effectively impossible to access a huge swathe of services. Then again, I have never (knowingly) signed up to Facebook, Twitter or Linkedin, but I nevertheless get endless emails from each of these, and unsubscribing has no effect. Equally, I always tick the ‘no’ options on communications from internet sites I buy from, but often get communications nonetheless and often find that unsubscribing from these makes no difference.

So although we are bombarded with advice about how to protect ourselves from cybercrime and internet marketing, the reality is that there is relatively little that we, as individuals, can do. And the things we might consider, such as single password sites for multiple accounts, can make us more insecure as they concentrate sensitive data in one place.

Insecurity is endemic to the human condition – existentially, psychologically, socially, economically we are insecure. Today, we have to add a new insecurity, virtual or cyber insecurity, in which we may be bullied, blackmailed, lose at best our money and at worst our identity.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Fantastic blog! Do you have any tips and hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you propose starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m completely overwhelmed .. Any suggestions? Many thanks! busco hacker

    ReplyDelete