By: Gene Fredriksen, Security Strategy Consultant
In this real-life story, it is 2018 and Kwamaine Ford, an employee of a celebrity at the time, seemed to have the world by the tail. He traveled in famous circles and lived a glamorous lifestyle. However, Ford had a dirty secret – he was funding his lifestyle with an illegal hobby. He used his social networks to phish celebrities’ accounts, taking advantage of their credit cards and other assets.
How did Ford accomplish this? He used celebrities’ contact information to call them, posing as an Apple customer service associate, and ask them to change or share their passwords. He convinced more than 100 victims to give him their iCloud passwords, thereby gaining access to a plethora of personal information including photos, emails and sensitive documents.
As Apple began to receive phishing complaints from these celebrities, the company involved the FBI to investigate. They learned that Ford stole an estimated $325,000 by fraudulently using victims’ credit card numbers he obtained through phishing. Special Agent Joseph Zadik, who investigated the case out of the FBI’s Atlanta field office, said, “A lot of people are using cloud-based services to back up data from their devices. This important information is stored remotely and accessed through login credentials.”
What Can Credit Unions and Members Learn from This Story?
While credit unions take great care to protect their members’ credit card and financial information, it is easy to overlook what is stored in the cloud. By default, many email systems and productivity tools store files on the web. Imagine the wealth of information held in the countless emails and documents you save. How many times have you been told to file electronic copies of important documents in the cloud to act as back-ups? While it is a great best practice from an accessibility standpoint, it gives cybercriminals an opportunity for data theft depending on how secure the controls are.
So, what can your credit union employees and members do to help prevent cybercriminals from accessing sensitive data in the cloud?
- Accounts that get compromised usually involve an easy-to-guess password. While warnings about the vulnerabilities of weak passwords are given constantly, many people still don’t follow this simple advice. Even worse is when the same password is used across multiple accounts. A strong password is at least 12 characters long and complex (a combination of upper and lower-case letters, symbols and numbers).
For greater protection, you can use a commercial password manager, such as Keeper or LastPass, or even invent your own method of password memorizing. PC Magazine also lists their top-tested password managers in a recent article. No matter what method you use, the main point remains: don’t make cybercriminals’ jobs easy.
- Encryption is, so far, the best way to protect data. Encryption tools are built into many software applications, such as Microsoft Word and Excel, and allow you to create a password-protected file. Once you move that password-protected file to the cloud, no one will ever be able to see the contents of the file without knowing the password.
So, what ever happened to Kwamaine Ford, the scammer from this story? He pleaded guilty to computer fraud and aggravated identity theft charges earlier this year. He was sentenced to more than three years in prison and is currently serving that sentence. The moral of the story is, take stock of what information you have stored and where. Ask yourself, “What would happen if a cybercriminal grabbed hold of this information?” If the inventory reveals sensitive information, look at ways to make it difficult for a hacker to access. Paying attention to details today will return a solid level of protection for your information in the long run.
Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.
Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.