Why Are Cyber Thieves Always Steps Ahead of Enterprises?

Featured article by Narayan Sivaram, Vice President and Regional Head for Cards and Payments, Infosys

A sign of the times is that commuters on buses and trains are known to wrap their credit cards in aluminum foil so their personal information can’t be ‘skimmed’ by nearby cyber thieves. The practice recalls paranoid UFO believers who, in the 1950s, would wear hats made of aluminum foil so that aliens couldn’t read their brain waves. What’s mind boggling about the two stories is that the second was the stuff of nutty conspiracy theorists and the first is a grim reality of being a digital consumer today.

Cybercrime is a growing problem. As companies create more mobile apps, they’re giving criminals more ways to break into their systems – systems that grow more sophisticated and intertwined with the development of the Internet of Things (IoT). And, as the recent stand-off between Apple and the United States government has shown, no device or system is safe from hacking. So-called back-doors are as much a part of the problem as they are a solution.

As recently as February, the United States Attorney for the Southern District of New York, Preet Bharara, announced the indictment of seven alleged cyber thieves with access device fraud and aggravated identity theft for their roles in schemes to steal customer bank account information and to use counterfeit and stolen debit and credit cards in New York. The seven accused were also charged with using devices that used skimming technology to secretly record the debit card and personal identification numbers of customers who used automated teller machines (ATMs). Skimming devices can steal hundreds of card numbers of ATM users, which can be encoded on new counterfeit cards and used to make thousands of dollars of fraudulent charges or withdrawals.

And it’s not just skimming devices attached to ATM machines. Unsuspecting subway riders who use the congested railcars to get to work might brush up against people with mobile skimmers that can upload credit card and ATM card information in a matter of seconds. When a reporter asked the notorious 1920s criminal Willie Sutton why he robbed banks, he replied: “Because that’s where the money is.” The preponderance of today’s cyber thieves yielding not tommy guns but hand-held credit card skimmers is a testament to that enduring reply. Cybercrime is where the money is, and it’s going to take a lot more than sheets of aluminum foil to make it go away.

That’s because criminals don’t necessarily need the new brand of mobile skimmers to lift personal credit card and ATM card information. In March of 2016, a man pleaded guilty to stealing $55 million from ATM machines after remotely hacking into the networks of prepaid debit card payment processors. He was able to inflate the account balances on the cards and then use them to make numerous withdrawals around the world.

In the recent Infosys Enterprise Leaders survey, banks reported that they view big data and analytics (21.7 percent of respondents), and technology for encryption & enterprise security (17.4 percent) as having the maximum impact in solving the industry’s business challenges. Clearly, with relatively small percentages of banking respondents citing encryption and enterprise security at the top of their list of concerns, what can consumers do to make sure their money is safe?

For years, cybersecurity has been a numbers game. That is, the cost of investing in high quality online security was more than the cost of occasional breaches. So banks and other enterprises (retailers included) weren’t motivated to create robust security programs. But companies are changing their approaches because the money being stolen by cyber thieves is more than what it would take to bolster their defenses against such crimes. There’s also the growing concern that mobile banking apps are the next target for cyber thieves. There have not been any large or highly publicized hacks via banking apps in the same way criminals have used conventional websites and ATM scanners. But most experts say it’s only a matter of time.

The most high-profile example of what is in store for mobile devices and security is the current wrangling between the computer manufacturer Apple and the U.S. government over whether or not the company would provide a “back door” for law enforcement to open a terrorist’s iPhone. What the government wants is for Apple to install software on it devices that would override a feature that wipes them of information after ten incorrect guesses of the phone’s passcode. A permanent back door on all devices initiated concerns over consumer privacy.

But then the controversial antivirus company founder John McAfee said that if the government gave him the iPhone in question, he could hack into it in less than three weeks. Said McAfee in an interview: “I will, for free, decrypt the information on the…phone, with my team. We will primarily use social engineering and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in their product, which will be the beginning of the end of America.” Essentially, he called out the government for making an example of Apple when in fact the government could easily access the iPhone’s information on its own and without Apple’s help.

But the government is pretending it can’t access the device without Apple’s help because it doesn’t want to shed light on how easily hacked even the most locked and guarded computers can be, confirming what we’ve long suspected – today’s enterprises and hackers alike have very talented people who can render even the most robust security measures useless.

Other experts argue that within five years, the concerns of customers won’t be whether their devices will be hacked but rather when (not whether) their entire houses, cars, and investment portfolios will be unlocked by hackers. Indeed, in the Infosys Enterprise Leaders survey, 88 percent of retail industry leaders said point-of-sale security and customer data encryption/privacy was a low concern. Only 12 percent of respondents said security was a high concern. Likewise, 43 percent of insurance industry leaders said enhanced digital security to deal with cyberattacks was a medium-level concern and 57 percent said it was a high concern on their agenda.

That some enterprises are not interested in protecting their digital consumers shouldn’t come as a surprise. In a recent magazine poll of 1,000 women, a whopping 70 said they text while driving. It turns out that company and consumer can be just as reckless in the new digital economy. What’s worse is that because of the rise in influence of the Internet of Things, more drivers will be busy on their mobile devices unlocking their houses, warming up their ovens, and letting the dog out of the house on their commutes home from work. So maybe humans are their own worst enemy.

The Internet of Things is progressing far more quickly than the ability to keep attached devices safe. It appears at this point that the bigger the IoT becomes, without the commensurate safety measures, the harder everyone attached to it will fall. The good news: Enterprises that realize the need for a radical re-thinking of security will benefit because their products and services will be in enormous demand as the IoT becomes a reality.

Narayan Sivaram, Vice President and Regional Head for Cards and Payments at Infosys.

Narayan Sivaram (Nans) has nearly two decades of experience in the IT industry across delivery, consulting, and client services. Over the last decade, Nans has played a leading role at Infosys in the cards and payment domain through several strategic, domain-led engagements, and client advisory roles. He has diverse leadership experience in sales and client services roles. Nans has led several innovative platform-based offerings in the cards and payments space.

Nans has undertaken several market focused activities with industry analysts and media, covering transformative trends in digital, big data, cloud, and technology modernization.

Nans holds a Bachelors of Technology in instrumentation and electronic engineering from Anna University, India.