on 31-10-2018 01:28 PM - last edited on 20-12-2018 04:14 PM by Aoife
Shhh! Someone's listening...
An uninvited guest, Elliot, has inserted himself into your conversation. You are sitting at a coffee shop having a chat with your client Grace, and unbeknownst to you, Elliot, at the next table is virtually listening to your entire conversation. This unwanted guest eavesdrops the conversation with your client and gathers all their critical information. When you leave the table, he continues the conversation with your client pretending to be you.
I know what you’re thinking - this would not be possible face-to-face. Your client, Grace, knows what you look like, what you sound like. But what if I told you that this is not improbable at all… this is happening online today.
This seemingly far-fetched scenario is a very real cyber-attack method, aptly called man-in-the-middle (MITM). The hacker, in this instance, Elliot, effectively intercepts your conversation, places himself in the middle and conveys the information he wants to pass on to both sides.
How could this happen?
Hackers like Elliot use various methods to gain access to your computer systems. Elliot may have used a phishing scam, or capitalised on poorly secured Wi-Fi routers, often found in public areas with free hotspots. His goal is to obtain your password and access your email account. The current statistics show an increase of 80% in hacks performed through an email compromise.
Changing your password may not be enough
Once Elliot has got into your system, he can create a rule that automatically forwards your emails to a secondary account. This means that any email you receive is also sent to his email account. Using further filtering with key words, he only needs to monitor what he deems as relevant emails. So, even if you regularly change your email password, in this scenario, the hacker still has access to your emails.
How does it work?
With access to your emails, Elliot then uses the information he has obtained, and, mimicking your email style, he can begin a new conversation as you, with your client, Grace. With valuable context acquired, the hacker then impersonates Grace, responding to your emails.
Once he has obtained the information required, he then exits the conversation. You and your client, Grace, are none the wiser, until that is, you realise you are a victim of a scam. By then, money has exchanged hands and you may or may not be able to recover missing funds.
What can you do to protect against a MITM attack?
I think I am a victim, what can I do?
If you suspect that you’re a victim of a scam:
Multi-factor authentication (MFA) provides an additional level of security to access your PEXA Workspace. The levels include your PEXA account name, password, your MFA token, and your digital signing token and pin. However, you still need to be vigilant when it comes to communicating with your client. Soon, PEXA will introduce a new app that will allow your clients to input financial data directly into the Workspace and enable you to request and receive information from your clients securely. [Stay tuned]
As our world becomes more and more connected online, it’s important to be aware of the cyber threats that could compromise the security of your personal information and business operations. Cyber criminals have a low cost of entry into criminal activities and they often have the anonymity to avoid detection. With many targets they will usually go for the easiest person to scam so stay informed and be aware. Collectively, we are better together, as we work as one to reduce the threat of cyber-crime and stay smart online.
By Craig Brown, Head of PEXA Security
on 07-11-2018 02:45 PM
Hope you're wearing your cape still!
Since phone clones apparently happen - Is PingID or telecom provider able to detect and alert users of this, if/when it happens?
Can a practitioner opt/choose;
How will PEXA implement the secure digital communication platform and environment, for the client to enter their private information, are they going to be issued an secure non-hackable browser, like BankVault SafeWindow and its invisible keyboard app to do so?
Will this Secure communication app-portal allow the Client and Practitioner delivery, response, and execution of secure forms as used in Conveyancing process?
on 03-12-2018 10:19 AM
Just got back from an awesome vacation, and yes, my cape is always on…
To address your questions, firstly, phone cloning is about having access to the phone and duplicating the SIM card. The likelihood of this happening, although possible, is considered relatively low. Because MFA is something you know and have, you would still need to know other information besides that gained from the cloned SIM card.
Also, offering practitioners the ability to choose their own PEXA name is part of our technology roadmap.
Today, what we have is MFA at login. Our teams are actively working on additional security validations that will be rolled out in the future. For example, cyber security, as we know it today, relates to three elements: something you know, for example your password, something you have, for instance, your phone, and something you are, biometrics. Our goal is to drive towards a seamless experience, and very much like Microsoft and Google, only ask for your validation when the three elements don’t match up.
On our secure digital communication… that’s a great question. However, I’m unable to provide more details here – you’ll have to wait for the announcement and I have a feeling that you’ll be excited at what’s to come. I’m looking forward to answering your questions then!