Hackers use combination of tricks to access details, experts say

British Science Festival hears how cyberattacks now involve psychological techniques

Hackers are now using a combination of psychological and technological techniques to access personal information, according to experts. File photograph: Getty Images/iStockphoto
Hackers are now using a combination of psychological and technological techniques to access personal information, according to experts. File photograph: Getty Images/iStockphoto

Hackers are now using a combination of psychological and technological techniques to access personal information.

Hackers are using voicemail recordings from phones, TVs and laptops to ask for money over the phone using a loved one's own words, particularly targeting elderly people, according to an expert panel on cybersecurity at the British Science Festival in Bradford.

As it stands, a hacker can sell bank details for about €120 and credit card details for €35.

However, niceness is more of a threat to company cybersecurity than weak IT or finance systems, according to the panel.

READ SOME MORE

“My suit and tie is my best secret weapon, because people don’t think someone like me will be a threat to cybersecurity,” said Ian Mann of ECSC Ltd.

He tests companies' cybersecurity systems using social engineering or "non-technological hacking" by manipulating employees.

“No system is secure unless it’s turned off and buried in concrete, but hackers publish major system vulnerabilities at a rate of about 20 per day, so it’s an ever-moving target,” he said.

“In one project, we accessed £18 billion of funds within four hours by using an employee’s LinkedIn details to make an ID card and get through a company’s swipe barrier system.”

Mr Mann said log-in details for the company’s finance system were taken from a Post-it note on someone’s office laptop because everyone “had been forced to use complicated passwords which nobody could remember”.

‘Inception’ training

"Inception"-style training to help employees to recognise intruders has been introduced by companies such as Google, to encourage workers to be on guard for people trying to get information.

“It helps if people have training to recognise us, but if I’m doing an attack I’ll ring up posing as the company auditor and ask questions about their security training to find the weakness and exploit that,” he said.

“A new attack called the ‘Friday Afternoon’ is directed at law firms during their busiest time.

“Most law firms are hierarchical and if a senior partner emails the finance department to ask for a money transfer it has to be done quickly and not questioned.

“So attackers use the company’s own culture against it by posing as senior partners requesting money transfers,” he said.

The panel also discussed the threat of terrorist cyberattacks.

“It’s the consensus of experts that a major cyberattack is beyond the capability of IS at the present time, with the US rating interstate attacks as a higher risk than non-state groups such as IS,” said Paul Rogers, professor of peace studies at the University of Bradford.

“The level of brutality used by IS makes people assume this is not a group with any sophisticated systems but we shouldn’t underestimate it.

“Terrorist groups use cyberattacks for economic disruption, but they are more likely to use them as propaganda to make the public feel insecure.”