Social engineering -- the act of manipulating a person to accomplish goals that are at best unethical and at worst criminal -- is a topic I have written about before, and one that is gaining increasing notoriety.
Cyber-criminals are engaging in unlawful social engineering when they gain access to passwords, confidential files, and other sensitive information. Yet, I fear that many in the insurance space have greeted this news with little more than a yawn, figuring that social engineers (criminals) have better targets to fire upon than a sleepy insurance company or broker.
This is an extremely dangerous attitude.
Yet this view is hardly surprising. After all, what do we, as an industry, have that a criminal would risk getting?
The first answer, unfortunately, is data -- information on our own organizations and on the perhaps millions of customers who rely on us to keep that information safe.
The second, and perhaps more important answer, is our reputations.
In a talk I gave recently at the 2013 IDMA Annual Conference, I emphasized that even seemingly inconsequential data may have value to a social engineer if it helps him or her breach a physical facility -- or a network.
Once the cyber-criminal gets "inside," she or he can do damage, if that is the purpose, or can simply steal information that could be used for identity theft, or theft of monetary and/or intellectual assets.
It is certainly true that individual pieces of data are worth little to nothing by themselves.
According to Lifehacker.com, user names and passwords to accounts on Overstock, Dell, Apple, Wal-Mart, and others sell on the black market for as little as $2 each. Others, like UPS and FedEx, go for $5 each.
"Finally, if the hacked account comes with credentials to an email address they'll get a couple dollars more. Some places even sell 'logs' of user credentials and browser history for a bulk rate -- one was selling 6 GB of logs for $150," according to Lifehacker.com.
So the financial case for stealing data doesn't seem compelling -- until you look at the bigger picture. A scammer may send out 10 million social engineering emails designed to get people to click on a link to the scammer, and if even 1 percent of those who get the emails click on the bogus link, that is potentially 100,000 pieces of information.
Even at the cheapest rate cited above, that's a cool $200,000 for very little effort. And that assumes the scammer only got one piece of data from each person who clicked through.
From my reading of the news, very few of these criminals are actually caught, because it's really hard to track them and, in some cases, because the victims don't want the notoriety.
If the victimized company is an insurer, that insurer certainly doesn't want to advertise the fact that its systems have been breached, or that policyholders may be in danger of having their information used for illicit purposes.
No one will want a piece of that rock.
Considering the profits to be made where data volume is high, insurance actually represents quite a profitable target for social engineers, because our business is all about data. If your attitude toward such malicious practices is too relaxed, it only helps these criminals get what they want while doing damage to your company, your customers and your reputation.
Be on guard and get educated.
Ara Trembly is founder of The Tech Consultant. and The Rogue Guru Blog. He can be reached at email@example.com.
June 1, 2013
Copyright 2013© LRP Publications