By John San Filippo
Cyber security expert and CEO of Stickley on Security Jim Stickley has been featured in numerous magazines and newspapers, including Time Magazine, Business Week, Fortune Magazine, The New York Times, PC Magazine and CSO Magazine. He has also been showcased on a wide range of television shows, including NBC's Nightly News, CNN's NewsNight, CNBC's The Big Idea and Anderson Cooper's Anderson. He’s a frequent guest on NBC's The Today Show. Stickley spoke with Finopotamus about some of the more prevalent threats facing credit unions today.
“What’s old really is new again,” said Stickley, referring to the recent high-profile breach at Twitter that started with a clever bit of social engineering. Social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. It relies on person-to-person interaction.
“Social engineering was big maybe 10 years ago,” added Stickley, “but over time, cyber criminals began to focus on more automated techniques like phishing.” He said that many security professionals forgot about social engineering – until the Twitter breach. According to Stickley, cyber criminals somehow determined that Twitter was using collaboration tool Slack for internal communications and were able to exploit that by communicating with Twitter employees via Slack.
“Suddenly people were saying, ‘Oh, that’s right, social engineering used to be a really bad thing and look, it still is,’” said Stickley. “Social engineering is not dead. Criminals just need the right bit of information to launch an attack.”
Stickley explained that the Twitter breach clearly relied on insider information and was most likely the result of a disgruntled employee who decided to get even. But what’s the lesson for credit unions?
“There’s not a credit union on the planet that hasn’t had a disgruntled employee,” said Stickley. He said credit unions need to consider what information an angry employee might be able to take with them and then build policies and procedures around that.
“I guarantee there was an internal policy at Twitter that would have prevented this breach, but somebody didn’t follow it,” he added. “It’s always less convenient for employees to follow security policies, but when policies get ignored, things start to fall apart.” He noted that the key to mitigating such breaches is continuous employee education and awareness.
Typosquatting is another long-time threat that Stickley claims is still widely ignored. In this type of scam, the criminal registers a domain name that is very close to a credit union’s actual domain name. Then the criminal sets up a fake site and waits for members to mistype their credit union’s URL.
“Go ahead and type any credit union’s URL except leave out the dot after the www,” suggested Stickley. “Chances are you won’t make it to the credit union’s website.” What you may find is a site that looks like the credit union’s website, but which was designed to simply harvest online banking credentials from unsuspecting members.
“With typosquatting, I really feel it’s a matter of when, not if, because it’s so darned easy,” said Stickley, whose company offers a service called Domain Assure to help credit unions combat typosquatting. “You just buy a domain name and wait.”
According to Stickley, scams that were poplar yesterday aren’t popular today, and scams that are popular today won’t be popular tomorrow. “Cyber security is kind of like playing Whack-a-Mole,” concluded Stickley, “but the more you stay aware of what’s happening right now, the less likely you are to fall victim.”