In a world where a criminal can create deep-fake videos and audio of friends, family, and bosses, how are most people going to protect themselves from cybercrime? According to the CEO of CrowdSec, it might be as simple as paying attention, “non-digital” multi-factor authentication (MFA), and using a passphrase.
OK, wait a minute. Most people would agree in the first two but the last one? Everyone who has minimal knowledge of cybersecurity, which is most of us, knows that passwords and passphrases are horrible cybersecurity defenses so what is the deal?
Real vs. Digital
The key Phillippe Humeau said is using them in real life, not online. When they discuss issues in meetings, we all agree on a passphrase for whatever decision maker is chosen. It’s not shared in emails, texts, or phone conversations and only two or three people are authorized to use them. Humeau said the phrases are designed to work into sentences so if a communication comes through from a decision maker that does not include the phrase, it is obviously faked.
But at the same time, a real-life MFA is employed to double-check the decision. As the CEO of his company, he can request a payment through the CFO, who will follow up with him live to ensure he has issued the request. There is no such thing as “We have to pay this now to this person.”
This method has implications for more than spoofing executives for financial transactions. There has been a recent rise in fake kidnappings where criminals will call or send a fake video of a loved one frantically asking for the victim to send money right away. But if the caller doesn’t use the passphrase, the victim will know that it’s not real. Humeau said agreeing to a new phrase regularly makes everyone even more secure.
This would not stop an insider who has access to the phrase from initiating a scam, but it would be more difficult to pull off because of the live-MFA factor.
So what about that “paying attention” issue?
Most organizations and people are being digitally probed every day by criminal organizations using automated systems. They are looking for weak spots in security and for financial information. Essentially, anyone who can move money is a target. On the low end are people over 50 who lost about $3 billion in 2021 according to FBI records. That is expected to rise with the use of generative AI tools. On the high end are financial-market organizations where fraud can reach trillion-dollar levels.
“There’s a lot of attacks happening every second of every day. My IP address is scanned 2,000 times a day. It doesn’t have any domain name, it doesn’t host any service, yet it’s scanned 2,000 times, Humeau explained. “So you can count that the IP addresses of large banks, an infrastructure, a car, manufacturer, can expect tens of thousands of scans per day.:
Humeau said criminals are looking for something that has been misconfigured that they can use to their advantage in the short-term mass exploitation of the site. “But on the other end of the spectrum, they want a precise target.” And that’s the guy that signs the check.
So the first step in paying attention is knowing that the person with the checkbook is the most likely target. The second step is the adoption of readily available technology.
“CrowdSec offers free software that goes through all your website logs, wherever they are. We go through those and look for bad behavior. Someone tried to guess your password. Someone tried to steal your product data. Someone’s scanning your website. Someone’s scanning the ports open on your firewall. Someone’s trying to monitor your cameras or VOIP. These bad behaviors leave traces in the logs.
”The Crowdsec tool analyzes those behaviors and blocks out dangerous threads. He said they have 200,000 installs in 175 countries finding 40 million violations per day. That’s a pretty good dent in the common vulnerabilities. But Humeau’s suggestions for “non-digital” security hygiene can prevent problems from arising.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.