Special report — Experts: VI vulnerable to cybercrime
BVI Beacon:
At some point on Sunday night, the website of FirstCaribbean International Bank began offering cheap Viagra to its customers.
No, sales of erectile dysfunction pills did not suddenly replace banking as the company’s business model. The bank’s website appeared to be hacked.
According to the bank, neither its website nor client accounts were breached. Instead, search engines were briefly misdirected to another site, but the issue was quickly resolved, the bank said.
The incident was the latest example of a trend of rising cybercrime that could pose serious risks to financial services firms across the Virgin Islands.
CybercrimeBWOn Friday morning, dozens of industry practitioners and public officers gathered at The Moorings at a conference convened by the firm KRyS Global to discuss the threats that cyberattacks pose to the territory and what can be done to fight back.
“This affects everybody,” said Simon Cook, a director of KRyS Global’s VI office. “At some point we’re all going to get hacked. It’s something we need to think about in the BVI due to the nature of the financial jurisdiction.”
VI vulnerability
Last year saw a series of high-profile incidents in the United States: The bank JP Morgan lost accountholder information for 83 million households and businesses; a breach at Target cost the retailer nearly $150 million; and North Korean hackers attempted to blackmail Sony Pictures, prompting the resignation of company leader Amy Pascal.
The VI has also seen its share of damage from lapses in cybersecurity. In 2013 stories produced by the Washington DC-based International Consortium of Investigative Journalists — several of which alleged that VI-registered companies facilitated illicit activity abroad — contributed to a decline in worldwide demand for VI incorporations, the core business of the territory’s financial services sector.
Those stories were based on “data leaks” of company ownership and account information held in some 2.5 million files belonging to two VI trust companies.
But reputational damage isn’t the only threat. For decades, Chinese and Russian clients have favoured VI structures when conducting business abroad. Those same countries have “a lot of capability” for launching cyberattacks, and hackers there could potentially have an interest in accessing VI computers to steal data related to cross-border corporate transactions, according to Mr. Cook.
“What you have is a whole lot of information, much of it confidential, being held in a data room,” he said. “If someone breaches that, they could jeopardise a deal or give someone an upper hand to get a better price. That could have potentially enormous value.”
Hackers’ motives
While money is often the reason behind attacks, that can’t be assumed, said George Georgiades, a forensic expert with KRyS.
“It could be bragging rights, prestige,” he said. “There’s different motivations. It could be curiosity.”
Ultimately, though, motivations are often irrelevant.
“It’s nice to know, right? But it doesn’t change the risk that each organisation has,” he said.
Much of the time, cybersecurity breaches involve the theft of financial data, particularly credit card numbers, which thieves steal in bulk and resell online.
“There’s a whole black market out there where people sell people’s information,” Mr. Georgiades said. “There’s a quality grade of how good is that information, how skilled it is.”
The black market has matured over the years, added Sean Theron, a manager with the Cayman Islands office of KRyS.
“Their customer service is amazing. They’ll give you three to try out for free. They’ll say, ‘Here: Test them out for a few days before you buy,’” Mr. Theron said.
Sophisticated attacks
Speakers at the conference highlighted what they called a growing sophistication in the nature of attacks and the organisation of the hackers. In those underground online markets, hackers belonging to organised crime groups typically charge one to eight dollars for a single card number, or around $250 to rent an infected computer to launch an attack, said Lorraine Leung, Scotiabank’s global director of technological crime and forensics.
“They understand how payment systems work. They know how to reach you. They know how to get to the people in your organisation,” she said.
In extreme cases, malicious lines of code snuck into banks’ systems can even control ATMs remotely, she said.
“You can see surveillance of people sitting, waiting outside ATMs, and the machine will automatically spit money at a certain time and all they have to do is go in and get the money,” she said. “That’s how advanced they’re getting.”
Phishing
For many years hackers have used a technique called “phishing,” posing as a bank or other trusted organisation in order to steal a customer’s passwords.
Guy Phoenix, the chairman of Fresh Mango, gave an example of a website that offers to tell users what their name would be if they were a character in The Lord of the Rings. To get the name, users have to type in their first and last name, their birthday and personalised information like the name of a family pet. That website then e-mails users a link so that they find out their name.
“What do you think might happen if I clicked that link?” he asked. “Yes, I got my name, but, guess what, some malware was instantly put on my computer so that it could follow keystrokes, and when I went on to my online banking they could find out what my password is.”
A recent trend, presenters said, is the use of “spear-phishing,” where hackers target specific organisations. Fresh Mango had a client who lost more than $15,000 due to a bogus e-mail received nearly a year before the theft, Mr. Phoenix said.
“What the hacker had been doing was just patiently sitting and watching their e-mails,” he said. “And they learned that they had a supplier in the US that they quite often sent large sums of money to. So they replicated an e-mail from the supplier saying, ‘Here’s your bank account balance, and by the way we have changed our account details.’ It’s that simple.”
Preventing attacks
Deterring would-be attackers, Mr. Georgiades said, depends on having the right technology and processes in place and making sure users follow them. That means restricting access to the most critical systems; having “intrusion detection systems” that can spot a breach; and knowing how data flows through a company to determine where it is most vulnerable.
If a breach does occur, forensic specialists can use investigative and intelligence gathering techniques to determine the extent of the damage and plan a response. That could involve alerting law enforcement, or, more commonly, it may focus on containing the breach to stem the damage. Speakers advised businesses to form an incident response plan to minimise further damage if hacking does occur.
Much of the aim of the conference was to raise awareness about cybercrime — an awareness that is sometimes lacking here, said Mr. Theron, the KRyS manager.
“The biggest thing I’ve spotted is that people think this is a big corporations issue,” he said. “They say, ‘Oh, the big corporations, they’re getting attacked’ — like Sony and Target. But I’m thinking the trend is moving toward smaller, more targeted attacks. They’re finding that the big guys have firmed up.”