Protecting the vulnerable from cyber-crimeRebecca Rogers

Bournemouth University Cyber Security Unit

2

Social Interaction

http://www.internetlivestats.com/one-second/

3

What Happens to Your Data

4

The World Wide Web

5

The Dark-Web

6

Accessing the Dark-Web

• Not all bad• Require special software to access • The Onion Router• Sets up the specificconnections you needto access dark Websites

7

TOR

• Onion Routing – bounces internet users and website traffic through relay run by thousands of volunteers around the world.

• Difficult to trace Internet activity back to user• Intended to protect the personal privacy of

users

8

Bitcoins

• Encrypted digital currency• When paired with TOR – increases anonymity– No one can trace a purchase/sale

• Favourite currency for cyber criminals

9

Who is interested in buying yourstolen data?

• Data travelled to 22 countries and 5 continents• Accessed 1,100 times in 12 days• 2 cybercrime syndicates shared data with peers

• Data tracking technology to uncover what happens to sensitive data after a hacker stole it.

10

Who is interested in buying yourstolen data?

• Criminals contacted the source requesting to buy it in bulk.

• Bitglass's watermark "phones home" when a file is opened or downloaded, grabbing IP address, geographic location, and the type of device accessing it.

11

How your data gets sold

• Marketplaces on the dark web, not unlike eBay – Feedback systems for vendors (“cheap and good A+”), – Refund policies (usually stating that refunds are not

allowed).– No special codewords to learn, no back-channels that

must be sussed out. – Information is very well categorised, eg. On the

AlphaBay market one can just click on the button marked “Fraud,” then into subsections like “Personal Information & Scans” or “CVV & Cards.”

12

How your data gets sold

13

How your data gets sold

14

Product Pricing

Source: 2013 panda security report – the cyber crime black market: uncovered

15

Who is stealing your data

• Before the Internet, criminals required physical access.

• Original hackers originally attacked technology for fun – now attack the user for financial gain.

• Used to work alone, now work as teams, trading information to create a more complete picture of an individual.

16

The Cost

• Costing worldwide economy £289 Billion annually

• UK is Europe’s Number One Target For Cyber Crime

• UK Individuals lost £268M in year up to 31st August 2015 (total £34 Billion)

• Most proceeds of fraud leave the UK – true cost to UK economy

17

The Cost – Elderly and Vulnerable• The impact is wide-reaching– often on low fixed incomes which make recovering from

financial loss impossible– they are likely to suffer psychological effects such as stress,

anger, emotional upset and embarrassment which they may not recover from

– can become dependent on government support where they had previously been self-reliant – increased cost to UK economy

• Often end up on ‘suckers lists’ identifying them as potential targets – creating a vicious circle which they cannot escape

18

Why the elderly and vulnerable?

• Elderly and Vulnerable more attractive – Easier to confuse– More trusting– Unlikely to report– Savings– Desire for products offering better quality of life– Changes in pensions• An increase in the number of pensions-related calls

around the time the new rules came into force.

19

Profiling - TalkTalk

• Potentially 1.2million customers had their personal information stolen by hackers. – Significantly dates of birth were taken as well as names, addresses,

email addresses, telephone numbers, credit card and bank details• Calls claiming to be offering compensation• Emails instructing victims to download software to ‘protect’

their systems• Many calls were made up to five days before TalkTalk

announced that they had been hacked.• Some of the conmen have call centre training which means

they sound genuine

20

Tactics

• Botnets – take control of computers and use processing power/storage to launch attacks - http://map.norsecorp.com/

• Phishing/Spam emails – Spear, whaling • Buffer overflow – accessing unused memory and overflowing causing

disruption • Covert channel – tapping in covertly eg. Man in the middle (wifi and cable)

attacks• Malicious software – software designed to cause deception – Trojan• Input attacks – eg. SQL injections (TalkTalk) tricks database into telling it

confidential information• Social engineering – builds a profile based on publically available

information and uses for eg. ID theft but also traditional techniques of deceit

• Back door – avoids authorisation and authentication requirements

21

Tactics – Phishing Emails

22

Tactics – Phishing Emails

23

Reporting

• More than half Britons have fallen victim to cybercrimes

• Less than a third actually reported the crimes– Unsure who to report it to.– Do not perceive as a real crime– Too trivial – Not aware they are a victim– May get reimbursed by bank (don’t need a crime

reference number to get money back). – note change to regs on police reporting cyber crime

24

Reporting

• Those aged 65+ are less likely than all internet users to use some online, and most mobile, security features

• They are also less likely to report having negative online experiences.

25

Prosecution

• 2007 – 2012 only 88 people sentenced under computer misuse act 1990.– Difficult to investigate and prosecute– Mostly under non-financial fraud crime

26

Changes to legislation

• Computer misuse act updated – Made easier to prosecute British nationals

irrespective of where they are located• However, only 10% of UK cyber crime is committed by

UK Nationals• No overarching jurisdiction

– Aimed at protecting National infrastructure (power, water) as opposed to individuals• No deterrent to low level cyber criminals

27

What the future holds

• Elderly and vulnerable will be all but cut off from government services, shops and local communities because of the rise of the internet

• Increasing use of apps to help those with long-term conditions manage their care, with more use of online booking of appointments, as well as medical consultations online.• Approximately 40% of people aged 65 or over in the UK do

not have access to the internet at home

28

What can be done

• Training and Education – Elderly and vulnerable not experiencing technology

through education or employment– Training 6.2 million people without basic digital skills

would cost £875m by 2020• Designing systems which take into account the

capabilities of the most vulnerable in our society– By making the device seem like an everyday watch, it

reduces at least some of the potential barriers to the elderly in its use.