The Internet is probably the most versatile invention of the 20th century and still continues to enlighten our thinking into the 21st century. It also has a dark side called Tor (an acronym for “the onion router”), which, like an onion, has many layers and is the gateway to the Dark Web, the encrypted space occupied by those who prefer their browsing to go undetected.
Invented by the US Office of Naval Intelligence for military-grade Internet searches, the Tor browser has since become the weapon of choice for everyone from terrorists, drug traffickers, and murderers to rapists and hackers.
Fighting Retail Cyber Security Threats
There are many experts in cyber crime, but few have taken that expertise to the next level and created a network of 3,000 international cyber warriors to wage a form of star wars in the Deep Web against the dark forces that are not only attacking business IT infrastructures, but also undermining the very fabric of society.
“It takes a network to defeat a network.” So goes the mantra of Paul Dwyer, a cyber-security expert who is no stereotypical “geeky” introvert. The rapid-fire Dubliner who shoots from the lip is the face behind the International Cyber Threat Task Force (ICTTF) and Cyber Risk International based in Ireland and the UK who evangelizes about the risks to business, not just in terms of their easily breached cyber security systems, but also their brand reputations once they are fatally compromised.
Self-taught, Dwyer worked in a pre-Internet world of computer hardware and software and honed his skill for hacking around the world, from Russia to the United States, gaining the attention and the trust of some of the biggest intelligence organizations on the planet.
“I realized that I needed to be the smartest man in the room, so I went and got an alphabet of letters after my name and started to build a reputation,” said Dwyer.
He is now an internationally recognized information security expert who has more than two decades of experience and has worked with the US Secret Service, Scotland Yard, the FBI, the National Counter Terrorism Security Office (MI5), and the UK’s National Crime Agency. He has also worked as an advisor to Fortune 500 companies, law enforcement agencies, and NATO.
Such is the potency of the network that Dwyer has established that with “scraping” or “harvesting” can inform member organizations they are under attack before they realize it themselves.
“It is about real-life events. If people have an issue such as a hacker operating in Latvia, the network can act to stop it. This is the immediacy of the cyber world, where the rules are very different to those in the real world.”
The 3,000-strong network shares intelligence with one another on a global basis. The types of intelligence they share can vary and can include training each other on how to detect and defend against cyber attacks, including those that affect retail cyber security. One organization may be in a different country but could help a retailer on the other side of the world by sharing the modus operandi (MO). This information is often referred to as IOCs (indicators of compromise) or TTP tools (tactics, techniques, and procedures) of the “bad guys.”
This type of sharing can help disrupt criminal network effectiveness quickly. An example would be when the Bank of Muscat was hit for $45 million in 2013. It became obvious that RAKBANK in the United Arab Emirates had provided the test run for the criminal group. In that real-life scenario, if RAKBANK had effectively shared the intelligence, the Bank of Muscat would not have lost the money nor had its integrity compromised.
Dwyer has brought international businesses together with his firebrand approach to fighting cyber crime. It is obviously working as those he and his network have challenged have come after him.
“I have had organized attacks against me when they launched an online army of memes,” he said. “It is like rabble rousing, getting into all of my computers to try and get me through ‘doxing.’”
Memes are ideas that are literally transmitted by computers usually by video or humorous text, but in this case, the objective was far from funny. Doxing is the the process of obtaining or deducing information about a person or, in layman’s terms, the act of searching around on the Internet for someone’s personal details.
Although calling a truce on this occasion, Dwyer is not someone who will be easily intimidated.
Cyber Task Force
So why does he do it? According to the literature surrounding the Cyber Task Force, businesses are under attack, and these raids not only impact financially, but also reputationally. These businesses have previously been forced to look at solutions alone, but the task force is a means of collective response.
Basically, the task force works rather like a neighborhood watch or early warning scheme that includes the sharing of the modus operandi (MO). If your house is broken into, you go to your neighbor and tell them that they got in through the kitchen window at 4 a.m., so that they are forewarned and can prepare or prevent this from happening to them.
Likewise, if Retailer A gets hacked a particular way, the collaborative approach means that it sends out alerts to Retailers B, C, and D. Doing this results in safety guards instantaneously going up across the industry.
What traditionally happens is that Retailer A is hacked, keeps quiet, and in four weeks bank or Retailer B is hacked the same way. And again four weeks later, Retailer C is hacked the same way. The only winners from this silence are the divide-and-conquer hackers.
“Whereas if this intelligence was shared across the sector, it would prevent this domino effect from happening,” said Dwyer.
Keeping silent may not even be an option because of the 2016 EU directive on network information security, which brought obligations upon businesses including mandatory breach notification, which means that companies will no longer be able to hide a hack for fear of brand reputation.
Robert Madelin, formerly the EU Commission’s director general overseeing digital matters, warned against “a clear and present danger” of cyber attacks in Europe, and there are hundreds of breaches a day already happening.
The World Economic Forum recently reported that interdependence in the supply chain, lack of executive leadership, and the failure to integrate cyber into risk management had contributed to their overall risk.
In a seminar at Dublin’s Mansion House, Madelin told an audience of business leaders in his own evocative style that they were all “one click away from evil.” In his presentation entitled “Sympathy for the Devil,” he said that cyber crime had become attractive, hence the title of his presentation. “It is seen as sexy, as it’s a strike for the little guy fighting the system, the hacktivists revealing stuff that governments don’t want us to see. But the reality is different. Cyber criminals want to disrupt you. They adopt a parasitic role and continue to take things from you. Like the situation in Ukraine, they want to occupy you.”
It is not necessarily the lone wolf hackers or the organized groups that are of concern. In the hidden world of the Dark Web invented by government agencies, there is evidence of “conscious collusion” between nation-states and organized cyber criminals, which goes to the core of the Edward Snowden revelations and why his actions caused such controversy and criticism from governments around the world.
“Today, cyber security is as much about the functions of risk management, governance, legal, and compliance as it is to do with technical security operations,” said Dwyer. “This is simply not a fair fight for private enterprise to have to defend itself against the efforts of a nation state. At ICTTF, we believe businesses should appoint a suitable senior person to join our cyber threat task force. This network can collaborate and work together to deal with cyber threats thus protecting Irish businesses and the economy.”
Those business-oriented members, including legal, regulatory, and technical experts, can help in the fight against the hackers and collectively manage the risk, as well as expand their own vision and network of ideas.
Our problem, he said, was that, unlike the cyber criminals, we occupy too many silos in the retail cyber security space. We simply do not share information in the same way that cyber criminals do.
“If you go on the drug-buying site Silk Road, the customer service is absolutely fantastic. They cannot do enough for you, but it is a way of luring you in. We are into the territory of normalizing crime. You are not up against someone who is operating from his bedroom with a piece of malware to buy iPads while eating pizza. Cyber crime is military grade and organized.
“Controversially, cyber crime has made the world a safer place—armed robbery is a dying trade. Violence used to be your entry point, but your entry point is now the ability to hack.”
Membership in Dwyer’s leader and warrior groups—those techies on the front line of cyber trench warfare—includes 24/7 access to the specific cyber portals, monthly virtual online briefings, and targeted newsletters and quarterly scheduled peer events. Membership has to be approved and subject to terms of reference.
Perfect Storm
Our love of social media and divulging more and more information about ourselves online makes for a perfect storm for cyber criminals who can access our lives with ease and impunity. They can buy our credit card numbers and passports and, with the growth of social media, can now freely play with and manipulate people’s lives through the click of a mouse.
“This is Dark Web grooming, which is used to great effect by the likes of Islamic State as jihadists use it for propaganda and recruitment. It used to be that we were three clicks away from evil; now it’s only one,” said Dwyer.
Retail Cyber Security Threats
Retail is one such confluence of this brewing storm. Stores hold intelligent data that informs managers as to customer likes and dislikes with the recent example of Target in the United States, which caused outrage when it sent a teenager coupons for her expected motherhood before she or her family knew she was pregnant. This had been calculated by the young woman’s previous spending habits at the store, and her irate father actually later apologized to the store after confronting them over the vouchers. This level of personal data is gold ready to be mined by retailers and hackers alike.
“Retailers, with their voucher schemes and loyalty programs, hold vast amounts of data not only about our financial and personal details, but also our purchasing habits,” said Dwyer. “Also in retail, there are so many points of entry for the hacker through the points of sale or the supply chain, for example. Compare this to the fact that retailers have under-invested in retail cyber security over many years, and this makes them an obvious target for data breaches from hackers looking for fullz information.”
“Fullz” is a slang term used by credit card hackers and data resellers meaning full packages of individuals’ identifying information. Fullz usually contain an individual’s name, social security or national insurance number, date of birth, account numbers, and other data. This is the ultimate goal for the hacker who can buy and sell individual fullz packages for around $70, details of which are all available on the Dark Web.
When those details are accessed, retailers may not even know other than their computers may appear to be working a little slower than usual.
Even loss prevention departments who collate information about suspicious IP addresses may be missing the point, as this information can also be manipulated by the hackers, and they achieve this through device collusion techniques.
Device Reputation
Dwyer argues that retailers can no longer afford to ignore the vulnerabilities, especially in an arena where they are moving into more mobile shopping and sophisticated payment methods. It is not so much about the lost profits, but more a brand integrity impact issue as a result of a major breach.
He argues that we are moving beyond IP address and into the unchartered territory of device reputation. It is no longer enough simply to be able to identify where a transaction is coming from, but to drill down into its integrity and its past lives. He wants this information shared so that fraudsters entering a store or pretending to be someone else online can be physically detained or virtually ejected because their device will reveal its past misdemeanors.
In other words, retailers can set their fraud perimeters based not on where someone lives, but by information such as what their device has been up to.
“Every device will have a reputation, and you will know if it has done something bad,” said Dwyer. “On the rugby field, the only person you should be worried about is the one who can take you out. In the case of retail, this is the hacker who is not taking things off your shelves, but has the ability to destroy your brand.”
We are part of a world that cares to share, but the question is should we dare to? The toothpaste is already out of the tube, so it is a matter of getting better at protecting ourselves from retail cyber security threats. In Dwyer’s, world you no longer need to do it alone, and collaboration and networking good guys can be just as effective as the bad guys.
For further information, visit CyberRiskInternational.com or icttf.org.
This article was excerpted from “Peeling the Onion: Why Retail Data is ‘Fullz Gold’ to Hackers,” which was originally published in LP Magazine EU in 2016. This article was updated February 14, 2017.