Don’t make the Pro Hacker weep

I recently had the pleasure of talking to a professional hacker, called Mr. X. (Actually, not his real name, but perhaps you already guessed that). Mr. X is employed to rain down terror and havoc on the defenses of banks and exchanges in order to find their vulnerabilities. When he succeeds, as a good citizen he reports the breech, and it’s repaired, hopefully.

Dig tunnel underneath bank. Break through floor of vault. Blow off safe door using gelignite. Scoop up cash, gold bars, etc. Jump into getaway car.

That’s the old recipe for getting rich illegally, but now criminal gangs do it remotely, using computers. This we all know, and security is one of the big issues of our times. In the first half of 2018, crypto worth $1.1 billion was stolen by hackers, with about 75% of that being ‘liberated’ from exchanges. The figure for crypto theft in 2017 was only $606 million, so the trend is ever upwards. And this is the stuff we actually know about, because the exchanges are not keen to share news of their losses, so it’s highly likely that the bleeding away of funds amounts to considerably more.

A hacker shares the truth about security

Now call me naïve, but I imagined that what banks, financial institutions, exchanges and crypto enterprises did was to make their system as robust as possible, then sit back and wait to see if they were ever attacked, and if so, how and where. Not so. I recently had the pleasure of talking to a professional hacker, called Mr. X. (Actually, not his real name, but perhaps you already guessed that). Mr. X is employed to rain down terror and havoc on the defenses of banks and exchanges in order to find their vulnerabilities. When he succeeds, as a good citizen he reports the breech, and it’s repaired, hopefully.

The big issues are not however around a full-frontal assault, or DOS attack, vital though it is to protect against these. Mr. X explained that two current areas of his work are about Identification and Authentication. In other words, how does the enterprise know that its customer is who they say they are; and then how do they know that the returning customer is the same person?

In the past we proved who we were by turning up with a passport or photo ID document, maybe a utilities bill or two to prove our residence. The clerk across the desk then made a value judgement that all was well. Now the clerk across the desk may well be an automatic system using AI to register a new user over their smartphone, so how does it deal with fraudulent identity? One great example I heard of recently, from an STO about to launch, is how in the middle of the onboarding process the client is suddenly asked to stick out their tongue, for example. The AI is not looking particularly for the tongue sticking-out action, but for the characteristic look of surprise on all human faces when a strange request is made. Apparently our eyes widen, and we all back away from the camera/person making the request. “OK,” says the AI, “That’s a real person I’m dealing with.”

Mr. X confirmed that this kind of ‘Behavioral Analysis’ will become increasingly prevalent, especially in the area of Authentication. We’re all familiar with the name/password method of entering sites, plus a few additional pieces of information held back as ‘just in case’, like the name of our first pet, or our mother’s birthday. This is multi-factor authentication, at its simplest level. However, a hacker could have prepared themselves for these kind of authentication answers, and may immediately be able to reveal my mother’s birthdate as “23rd September 19__” (I’ll leave the year blank to spare her blushes). As a less-than-perfect offspring however, I’m likely to respond, “Um, yes, err, I know this. It’s 22nd Sep… No, it’s 23rd September, um, I think…”
This is exactly the sort of behavior which AI will analyze as being more believable than the ‘smooth’ answer.

And all the time any interaction is going on between your wallet and the exchange, for example, there’s a whole lot more happening beneath the surface. On the technology level the back-end of the site you’re connected to is doing its own multi-factor checking. Is this your phone, is it being used from a ‘likely’ location and network, is there anything different about the set-up? As a user, you won’t be aware of any of the multiple handshakes which are taking place, but as Mr. X explained, there’s a constant process of checking, and cross-checking.

Are we are own worst enemies?

So we can all sleep safely in our beds at night? Not quite. Mr. X and others like him work to protect against attacks, but guess where the biggest vulnerabilities are? You. And me. And most of us. We’re the ones still using the world’s favorite ‘ironic’ password, Password123. We’re the ones in the following story which I witnessed the other day. OK, it’s not crypto, but it happened, and it’s not untypical:

I’m standing behind a woman at the supermarket checkout. About to pay with her credit card, she shouts to her partner, who is packing the shopping, “Is my VISA card PIN 6754 or 6745? I forget.” He has a think, and shouts back, “It’s 6754 I think.” The woman keys in the PIN, “Yes, 6754, that’s right.” So now about fifty people in their immediate vicinity have the details – great!
It would probably be enough to make Mr. X weep.