If you think companies and individuals have your data under lock and key, then think again. With hackers becoming more sophisticated and rarely ever getting caught, we’ll likely see more and more breaches in the future.
That’s at least according to Billy Rios, a longtime San Francisco-based “white-hat hacker,” who gets hired by companies to break into their systems and point out security flaws. His clients? Microsoft, Google and the Pentagon, to name just a few.
He learned how to break into networks at university in the 1990s — and he used to breach his college’s network for fun — but he never did it to steal information or make money, unlike today’s crop of hackers.
“The means have always been there, but the motivations have changed,” says Rios, talking about the differences between the early days of hacking and now. “There’s so much more data that people can take advantage of and monetize.”
Hacking has also become far more mainstream, he says, which makes it harder to contain. Everyone from governments and mafia to big-time criminals and petty thieves are breaking and entering into computer systems around the world.
Easier and more enticing
There are several reasons hackers do what they do, he says. First, it’s much easier to break into systems than ever before. Generally, company security is more robust than it’s ever been, there are also far more start-ups — small businesses and other companies that don’t have high levels of protection.
As well, social media, where people constantly talk about themselves, makes it much easier for hackers to find out personal information they can zero in on to answer security questions or steal someone’s identity.
Second, it’s easier to make money off people today. If a criminal gets access to your bank account information, they can simply log in online and drain your savings. There are also databases of credit card information they can buy and then use, says Rios.
Some individuals will also pilfer sensitive data, such as Social Security numbers and medical records, to sell to a third party who can use it to impersonate someone. Rios has heard of hackers who have stolen medical information and then had procedures done using another person’s insurance.
Finally, hackers rarely get caught, claims Rios, which essentially makes it the perfect crime. In many cases, cybersecurity laws just aren’t robust enough to prosecute people, he says, and police aren’t yet set up to bust online crime in a big enough way.
Making it that much more difficult is that a lot of cybercrime is cross-border and done via proxy servers that can mask IP addresses, which makes it extremely hard to identify a hacker.
“Foreign actors can get access to internal servers really quickly,” Rios says. “Figuring out where that person is coming from and where they live and where attacks are being initiated is really hard from a technical standpoint.”
Rise in ransomware
While there are a variety of ways that hackers break into systems, one of the most concerning types of cybersecurity today is ransomware, says Rios. That’s when a hacker installs a piece of malware on a computer and then causes it to shut down an entire network. The only way for someone to get their files back is to pay a ransom to the hacker.
It’s not different from a criminal walking into a bank, holding people hostage and demanding money, he says. While this kind of hack doesn’t get as much attention as a gun-waving thief, it’s essentially the same. Many hackers target hospitals and hold sensitive files hostage, because they know people will pay up. If they don’t and those files get erased, lives could be at risk.
“If someone came into a hospital with a gun, then a SWAT team would descend on that building and it would be all over the news,” he says. “But the same thing is happening every day to thousands of companies. Hackers are demanding upwards of $20,000 to get their data back, and nothing ends up happening to those criminals.”
While hacking motivations may have changed, the actual ways they’re getting into systems haven’t. Most hacks are still phishing-related, says Rios — criminals are trying to dupe people into installing malware-afflicted files or creating emails that look eerily similar to what a bank or telecom might send and then getting people to input sensitive information on a website.
Whether it’s a staffer at a company or people at home, don’t click on any links or files that aren’t coming from a trusted source, he says. Even if it looks like it’s coming from someone you know, make sure the file name, the URL or the reason for clicking on that link makes sense.
As well, think twice about putting personal data on social networks, especially if it’s the answer to a security question, like your mother’s maiden name or the name of a pet.
Also, make sure you’re always updating software, such as operating systems, apps and other programs, says Rios, as companies are often fixing security patches through their updates.
No matter how diligent you are, though, Rios thinks his more nefarious hacking brethren will only push harder to steal your information.
“It’s certainty not going to stop,” he says. “There needs to be some revolutionary change, some game-changing approach to defending networks, but I’m not holding my breath.”