Last week, the Biden administration announced it will be gathering the leaders of 30 nations to discuss cybercrime and cybersecurity. In an official statement posted at whitehouse.gov, the president claimed:
“I am committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.”
If he is serious about cracking down on crime and tightening security, he will start by removing obstacles for those that are actually trying to combat it. A first step would be to require FDIC and NCUA backed financial institutions wholly cooperate with police investigations, regardless of the geolocation. “We absolutely cooperate”, they will ALL claim as they make law enforcement investigators run an exhaustive compliance gauntlet.
As an example, I recently served a search warrant on XXXX Bank for the records of a customer who is complicit in an Internet based counterfeit check scheme. The bank refused to accept the search warrant claiming that it fails to meet their compliance standards. The standards: a warrant issued by federal district court or a court of Texas. A search warrant issued by a duly elected and empowered judge in the Commonwealth of Pennsylvania, and supported by an affidavit of probable cause, is not enforceable.
Protests to the financial institutions get a contrite and smug response explaining the appropriate remedies: Obtain a federal search warrant or have a Texas court naturalize the warrant. Yeah right. The U.S. Attorney’s Office isn’t accepting a case with only a $5000 loss and how am I supposed to find a police officer in Texas who is willing to take on the effort of writing a search warrant based on my affidavit. Yes, it can be done but at what cost?
In reality, the bank is protecting a criminal and perpetuating the victimization of others. All in the name of privacy and compliance.
These businesses should no longer be able to hide behind the assertion “We are a business based in State X and are only accountable to laws of that state and the federal government”. Modern communications has nullified this claim. The Internet allows you to conduct business in every state and you should be subject to the laws and regulations of such.
And it’s not just financial institutions. Try to serve a search warrant on Ad Hoc Labs, publisher of the Burner App, from any state other than California.
Network intrusions and ransomware incidents aren’t the only occurrences of cybercrime affecting everyday Americans. If President Biden is serious about cracking down on cybercrime and shoring up the nations cybersecurity then he should start with some easy fixes.
(These lamentations aren’t directed at my FI security investigator colleagues. It’s completely directed at the lawyers on the floor above you!)
The answer is Yes.
Do you have insider threat exposure? If you answer no, you fail. Having more than one employee exposes you to the potential of an insider threat. In fact, a sole proprietor can have insider threat exposure. The Cybersecurity & Infrastructure Security Agency (CISA) released a nice guide to assist businesses in determining their insider threat potential. The downloadable PDF asks users questions about their business, focusing on program management, personnel training, data collection and analysis. https://www.cisa.gov/publication/insider-risk-self-assessment-tool
It takes two to tango…
Although the criminal is ultimately responsible, they can’t victimize people all over the world if the technology won’t allow it. A group in the United Kingdom is taking on Big Tech and calling them out: “We’re also calling on the big tech, telecoms and social media companies that play host to these crimes to take more responsibility for stopping them.” https://www.theguardian.com/money/2021/sep/27/scam-epidemic-big-tech-firms-must-join-fight-says-nationwide-chief
Coinbase steps up
Earlier this year, at least 6000 customers of the cryptocurrency exchange Coinbase fell victim of a phishing attack. The company recently released details about the incident and explained how the attackers took advantage of a flaw in the company's SMS account recover process. The company fixed the problem and made the victims whole. It’s nice to see a company take accountability and not push the responsibility back to the victim. https://markets.businessinsider.com/news/currencies/coinbase-data-breach-crypto-customers-funds-stolen-accounts-phishing-attack-2021-10
Gift cards…again.
Seven people, including two former postal carriers, have been charged in a financial crimes and money laundering scheme involving the United States Postal Service. The group would use stolen credit and debit cards to purchase prepaid gift cards. The gift cards were then redeemed for cash. It’s curious to me that this has a direct nexus to the United States Postal Service and the charges were filed by the local prosecutor and not the United States Attorney. https://www.fox32chicago.com/news/7-charged-including-two-postal-carriers-in-money-laundering-scheme-involving-u-s-postal-service
No honor among thieves,
Or, “criminals are shocked and dismayed that they can’t trust other criminals”. Cyber threat actors using ransomware-as-a-service platforms to run their schemes are complaining that the group they rent the malware from are stealing some of the ransom payments for themselves. Oh the injustice! https://www.zdnet.com/article/these-ransomware-crooks-are-complaining-they-are-getting-ripped-off-by-other-ransomware-crooks/
The Rest…
You only have two more months to claim your $15 WaWa gift card. https://www.pennlive.com/business/2021/09/wawa-customers-given-deadline-to-submit-claim-for-data-breach-settlement.html
Apple becomes potentially complicit in cybercrime by allowing users to create “anonymous” emails in IOS 15. https://news.cardnotpresent.com/news/apple-enables-anonymous-email-addresses-fraud-pros-cringe
Data breach effects 4.6 million Neiman Marcus customers. https://arstechnica.com/information-technology/2021/10/neiman-marcus-data-breach-impacts-4-6-million-customers/
The stock market is a rigged game, but it’s still the best game in town. https://www.bloomberg.com/news/features/2021-09-29/is-stock-market-rigged-insider-trading-by-executives-is-pervasive-critics-say
Telegram is becoming the choice for criminals. https://mashable.com/article/telegram-cybercrime-dark-web-study-cyberint
Cool Tool
I like to outline and you should too. https://glamdevelopment.com/outlinely
Cool Tips
19 new features of IOS 15
https://gizmodo.com/19-things-you-can-do-in-ios-15-that-you-couldnt-do-befo-1847670770
Just Cool…
They sailed a drone boat inside the eye of a hurricane - and have the video to prove it! https://www.noaa.gov/news-release/world-first-ocean-drone-captures-video-from-inside-hurricane
“NOTHING HURTS MORE THAN THE OPPORTUNITY YOU MISSED BECAUSE YOU WAITED FOR THE PERFECT THING THAT NEVER CAME.” - someone way smarter than me.
The newsletter had a good showing last week with Issue 45. Thank You to everyone who shared!
See you next Tuesday.
Matt