How the Target and Uber cyberattacks from years ago shaped public perception of cybersecurity today
Cyberattacks are nothing new, but when a large company is hacked, it can have devastating consequences for both the corporation and its customers.
When one breach is patched, evolving technology seems to open another.
The high-profile corporate hacking of Target in 2013 and Uber in 2016 are just two of many such instances, but they were particularly significant in shaping public opinion around cybersecurity.
If one thing is for sure, "cybercriminals are creative, they're innovative when they exploit any vulnerabilities, and we can't underestimate that," Scott Schober, president and CEO of the 52-year-old cybersecurity company Berkeley Varitronics Systems, told FOX Business during a phone call.
Schober also authored two books, "Hacked Away" and "Cybersecurity is Everybody's Business" regarding hacking, including personal experiences from when he, himself, was hacked.
Technology and cybercrime are ever-changing, but so is cybersecurity. Schober shared his knowledge of famous breaches and emerging cyberthreats with FOX Business, as well as steps people can take to protect themselves online.
In 2013, Target was breached when hackers gained access to its point-of-sale payment card readers through a third-party HVAC vendor.
Schober says that, just as the information of individuals is often compromised because of reused passwords, large corporations are often infiltrated through a third party with weaker cybersecurity protocols.
The breach affected data collected on approximately 110 million customers, "but the irony of it was, prior to the Target breach, Target was one of the strongest early adopters to test out chip-and-PIN technology. And it's funny, they ended up abandoning it because it took too much time at the register," said Schober.
Schober explained that, following the Target breach, a new rule was put in place making vendors, rather than credit card companies, liable for the money involved in fraudulent transactions using the old, less secure magstripe swipe method of payment.
The chip-and-PIN method, which requires consumers to insert their credit card chip and then their PIN code, is used ubiquitously in Europe. In America, the chip-and-signature method is most often used, though a signature is not always requested.
This saves time, but sacrifices security.
In 2016, Uber fell victim to a data breach that compromised the information of 57 million Uber users and drivers. The company's response was to cover it up and pay the hackers to delete the stolen data.
"They basically paid hackers $100,000 to delete the stolen data and keep the breach quiet," Schober told FOX Business. "So, it's kind of like a bribe. But what they did was they disguised the payment… They called it a bug bounty payout."
A bug bounty, Schober said, is when ethical hackers try to stress your network and find vulnerabilities and are compensated for their efforts.
MICROSOFT WARNS RUSSIAN HACKERS ARE USING EXECS' STOLEN EMAILS TO BROADEN CYBERATTACKS
The breach occurred when developers working for Uber uploaded code containing sensitive login credentials to the code hosting website GitHub and the reveal of the coverup led to a corporate reshuffling. Given the ensuing backlash regarding ethics and privacy from lawmakers, regulators and users, Schober said Uber provided a good example of how not to handle a data breach.
The trust of drivers and customers was broken. "And every time I get into a ride for Uber, I sit there thinking, ‘Gosh, am I going to be ripped off here?’" Schober said.
Cybercriminals are crafty. Some find their niche skimming credit cards en masse, while others manipulate their victims' feelings by building trust before going after sensitive information.
"A lot of the scarier ones – in the past year or so I've seen this – are some of the voice cloning apps that are out there… you actually sample about 30 seconds or more of somebody's voice, and now you could enter the text in and have the app speak that voice and call someone up," Schober said.
"You build a level of trust, and they divulge a piece or pieces of information that you as a hacker need to take it to the next level and compromise somebody's account," he said.
"Phishing" is an umbrella term for attempts to steal information using technology.
Voice phishing, or "vishing," is when this happens over the phone.
To protect yourself from vishing, trust your gut if you think a phone call is suspicious, and never give out financial or other personal information, like passwords, over the phone.
Tax season is a hot time for cybercrime, says Schober.
Criminals can pose as a bank or the IRS to target you with email phishing attacks that often invent a time-sensitive situation, so you panic and comply with their request to, for example, confirm your Social Security number immediately so your accounts don't get closed.
Emails might provide a link to a site designed to mimic that of your bank or the IRS, when in reality, you are supplying the criminals with your username and password when you attempt to log in.
If you file taxes online and your information is compromised, cybercriminals can redirect your tax refunds to their own bank accounts.
If cybercriminals can gain access to your email account when you are trying to buy a home, they can pose as a real estate agent. You will already be expecting to hear from your agent, so the criminal will tell you your offer has been accepted and ask you to move your money into a fake escrow account.
Once there, your money will immediately be used to buy cryptocurrency, like Bitcoin, which is then used to buy other forms of cryptocurrency.
"There's nobody that has the resources to go chase the money and get it back for you," Schober told FOX Business.
"And then the loophole that cybercriminals realize is that the realtors on either side, and the legal people, they really don't have any problems," Schober said.
"They're not going to be sued. If somebody transfers money to the wrong account, it's really on the consumer. So you just lost the money, basically." Schober said he has interviewed multiple victims of this type of fraud, including one who lost $160,000.
You may have heard of credit card skimmers, the devices put on top of or inside of credit card readers to steal your card's information as you swipe your card. Shimmers are skimmers designed to steal information from your credit card's chip when you insert it rather than when you swipe it. Chips were invented to prevent this kind of theft.
CHINESE HACKERS PREPARING TO ‘PHYSICALLY WREAK HAVOC’ ON US CRITICAL INFRASTRUCTURE: FBI DIRECTOR
Shimmers are a big threat that few people know of at this point, Schober says. After downloading all the credit card numbers their shimmer stole, criminals burn them onto fresh cards. They are then free to spend the money or sell the cards off.
Gas stations are prime targets for skimmers and shimmers. Costco provides an example of a simple fix that goes a long way toward protecting their customers.
"There are six generic keys for the million and a half gas pumps across the United States," Schober said. "You can open it up, stick a skimmer in there, and usually it's tied in with a Bluetooth module. Then close the door. Thirty seconds, you've installed the skimmer. And as long as you're 75 to 100 feet away with a laptop and a car, you can now wirelessly collect people's stolen credit cards from that pump."
Costco retrofitted all of its gas pumps with unique locks, unlike most gas stations which do not want to spend the considerable amount of money required to do so, especially when there is little incentive.
"What a lot of people don't realize is the size of the cybercriminal gangs," Schober told FOX Business. "There were reports recently that thousands of trained Romanian cybercriminals have come over to the United States, and they're dividing up the United States and focusing on different territories where they can install skimmers. This is mass cybercriminal activity. The average gas pump, when a skimmer is on it, gets about $114,000 before the skimmer is found."
The scam: steal gas station customers' credit card information, use it to buy gasoline and sell that fuel back to the gas station.
"[The criminal] comes back with a bunch of [stolen] cards, and he usually buys diesel fuel because it's a little more profitable," Schober said. "And he comes back with a pickup truck with a 600 gallon bladder in the back, and he's got a cab over it. And he pumps and fills up 600 gallons of diesel fuel with your or my stolen credit card."
Schober said the criminals then drive around the corner and meet the tanker truck where they pump the stolen fuel. Finally, the driver goes back to the gas station and sells the gas to the business.
"Now you're talking about big bucks, you're talking about four or five dollars a gallon times 600 gallons at a time, and now being sold back to the station," he said.
Schober says the simple, if a little inconvenient, measure that anyone can take to better protect themselves online is to create long, strong passwords that are never shared with anyone and never reused.
He explained that when just one account is compromised, hackers can plug stolen usernames and passwords into automated hacking tools that try logins on the 100 most commonly used sites.
"Once they get in, they change the password, they take over the account. And again, if you do it across multiple accounts, they're going to get into multiple accounts of yours, and that causes a really serious problem," he said.
Schober also insisted upon making up fake answers to security questions when setting up accounts, since so many of the answers to provided questions are easily searchable.
Schober himself keeps written passwords in a safe, uses Safari's password keychain system and uses a password manager if he needs access to passwords while on the go.
CLICK HERE TO READ MORE ON FOX BUSINESS
Schober likens layers of digital security to layers of security on a house, such as "putting fake alarm stickers up, a sign on the lawn, a camera and alarm system, a deadbolt."
He said, "Layers of security deter thieves to move on to the next house and go for the easy target. Hackers are lazy, and their time is money. So they're just going to move to the low-hanging fruit, easy targets… So same thing we've got to apply with cybersecurity. Make them work for it."
On the subject of chip-and-PIN, Schober said, "But then ask yourself: aside from Target, when you go to buy something at a retail store, you take your card that's got the chip on it. Do you ever type in an actual pin?"
The chip-and-signature payment method, which is easier to fake, Schober explained, has become standard in America, and many stores don't even ask for a signature to save time at checkout.
"It's because the United States has the best laws in play for consumer protection. In other words, we get our money back when our card, credit or debit, is compromised. And who pays for it? We, the consumers," he said.
Schober said approximately 4% of the money that is paid on credit card interest goes toward fulfilling fraud claims.
"Nobody thinks about that," Schober said. "But you're talking about countless billions of dollars every year… U.S. consumers are paying to fight cybercrime, and pay out all these claims when your card is compromised, just because they're not doing it correctly."