Use 19th century technology to defeat 21st century fraud

O'Hara 150x150Jim O’Hara, CISM, CISSP, CEHInformation Security Officer

March 10, 1876. Alexander Graham Bell’s Boston laboratory.

“Mr. Watson come here – I want to see you. I think someone just looted my brokerage account.”

Okay. Those may not have been the exact words spoken over the first useful telephonic device. But similar words are spoken on any given day in the modern world.

In the early 2000s, hackers and fraudsters preyed upon a burgeoning digital world. As financial institutions rushed to establish an online presence, cyber security controls were often overlooked, inadequate, and sometimes nonexistent. Regulatory bodies were slow to adjust to the new playing field as well, and firms could quite literally put their clients at risk without violating written regulations.

After a few hard lessons, smart financials became extremely focused on security, and the regulators followed suit, updating compliance requirements to counter the threats inherent in the brave new digital world. The SEC was no longer telling firms to “exercise responsibility in protecting client data.” They were now saying “deploy and maintain a stateful inspection firewall.” Seeking compliance, firms tossed out the security appliance purchased at the local office superstore and installed second generation firewalls and network intrusion prevention systems. They hired information security professionals who established security departments and put in place comprehensive technical controls and written policies. Game on.

Hackers and fraudsters soon discovered that their old tools and methods were no longer effective. It had suddenly become much more difficult to compromise the now security-savvy financial firms. What to do?

If you can’t pick the lock, steal the key. Criminal focus shifted from defeating the security systems protecting valuable data, to compromising individuals who had direct access to it. Credential theft became the hack-du-jour, and remains so to this day, in the fraudsters’ all-time favorite flavor: Email phishing.

The most effective use of phishing as a fraud tool follows this simple 3-step process:

  1. Phish the investor. Typically, in the form of an email masquerading as the victim’s email provider. The investor is asked to follow a link and validate their credentials. The linked site is usually very convincing, complete with the email provider’s current branding. The victim dutifully enters their username and password and is told “Thank you. Your account is secure.”
  2. Using the stolen credentials, the fraudster logs into the investor’s email account and reviews its contents. They watch and wait. They learn who is managing the investor’s money, how they communicate, and in some cases, they may even see prior communications related to a distribution.
  3. When the timing is right, usually around the holidays or a weekend, the fraudster jumps into an existing email message thread. They talk about how long it’s been since they’ve spoken, ask how Jenny is doing at Cornell, and then….instruct the financial advisor to perform a distribution to a newly established bank account. Usually it’s for a down payment on that dream vacation home, sometimes it’s to buy their spouse the classic convertible they’ve always wanted. A theme common to all the messages is that time is of the essence. The advisor needs to move the money quickly or the opportunity for the house or car will be missed.

Alexander Graham Bell’s invention then comes into play in one of two ways. Either the advisor calls their client and learns of the attempted fraud, or the client calls the advisor a week or two later and asks why their account is short. It’s the advisor who determines which call takes place.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a registered investment advisor.

Password potato chips

Jim O’Hara, CISM, CISSP, CEH, Information Security Officer

Passwords are like potato chips.  You can’t (and shouldn’t) have just one.

A new trend is developing in phishing and email extortion tactics. Attackers are including the potential victims’ passwords in the messages sent. Why would they do this?

If you’re the target of this attack, you’ll typically receive a message from someone claiming they’ve compromised your computer and have obtained a list of your website usernames and passwords.  The message will contain a set of credentials to a site you’ve used, which were valid at some point. You’ll also be threatened with some sort of undesirable consequence unless an online payment is made. By including valid credentials in the extortion message, the attacker is hoping to instill fear and doubt in your mind, prompting you to take immediate action.

But how did the attacker obtain your credentials?

When a website is compromised, the attacker typically mines the site for useful information, including the login credentials of the site’s users. The attacker knows that people tend to be lazy when it comes to passwords, and there’s a good chance one site’s credentials will work for other sites the user visits. These collections of stolen usernames and passwords are constantly being bought and sold online, and eventually, make their way into the hands of an extortionist. It’s likely the credentials in the email you receive will have been stolen quite some time ago, and in many cases are no longer valid. If you use the same password for more than one website, it will be impossible for you to determine which of the sites you visit was compromised.

This is why it’s so important to maintain unique passwords for each account you have. Yes, it takes a bit more effort to maintain separate passwords, but the additional protection is well worth the effort.

Tips to protect yourself: 

  • Never use the same password for more than one website. To keep track of multiple passwords, consider storing them in a password-protected spreadsheet.
  • Change your passwords from time to time. Especially for email accounts, or other accounts which don’t employ multi-factor authentication.
  • Never use public computers to access sensitive accounts. Even if you direct the browser to not save your credentials, the machine could be compromised in other ways designed to capture your credentials regardless.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a Registered Investment Advisor

A tale of two billboards

O'Hara 150x150Jim O’Hara, CISM, CISSP, CEH, Information Security Officer

Imagine a plush community of beautiful, sprawling estates where each property is protected by a high-end security system.  Now imagine two enormous billboards along the nearby interstate.  Once per month, the first billboard displays a list of newly discovered flaws in the community’s security systems.  The second describes methods to repair the same flaws.  Which billboard would be more closely watched?  Who would be watching it?

By now it’s common knowledge that the Equifax breach was a direct result of the company’s failure to properly maintain a webserver.  What’s less talked about is the fact that the exploited Apache Struts flaw had been published and rated “Critical” by security authorities well in advance of the breach.  Even less discussed is Equifax’s admission to knowing of the vulnerability at the time of breach, but not applying the associated patch, which had been available for months.

Software patching is essentially the 2-billboard scenario described above:

Billboard #1:  The Common Vulnerabilities and Exposures (CVEs) database.  Maintained by the Cyber Security FFRDC, and funded by the Department of Homeland Security, the CVEs database is an ever-updated list of all known software vulnerabilities.

Billboard #2:  A collection of patches and other mitigating controls issued by software providers and security authorities, designed to mitigate the vulnerabilities listed on Billboard #1.

The primary shortcoming of this system is the vulnerability information on Billboard #1 is almost always newer than the remediation information on Billboard #2.  While most software providers strive to release patches concurrently with the publication of the corresponding CVE, this is not always possible.  This occasionally creates a period of time when hackers can use the CVE data to attack vulnerable systems.  In fact, Verizon’s 2015 Data Breach Investigation Report found that half of published CVEs are used to successfully compromise some systems within two weeks.  Hackers are keeping a close eye on the CVE database, and working quickly to weaponize new information it provides.  So, for users and IT departments, it’s an unwinnable race, right?  Not so fast.

The tale of two billboards

The same Verizon study also found that 99.9% of system compromises occurred more than a year after the associated CVEs and corresponding patches were made public.  So, while the hackers may be fast, there is plenty of blame left for the victims –  99.9%, in fact.  Going back to our community of beautiful, sprawling estates, this suggests that even if home owners are bothering to read Billboard #2, many are not acting on the information it contains.  Equifax.

The key to keeping systems protected is a strong patch management program.  Responsible organizations put in place policies, procedures and systems necessary to ensure vulnerabilities are quickly identified and thoroughly mitigated.  Despite a strong patch management process, however, it remains possible that an attacker may find and exploit a vulnerability not yet listed in the CVEs database.  This is known as a “Zero Day” attack.  In order to mitigate Zero Day attacks, organizations must utilize a layered defense-in-depth strategy, which would include implementation of controls such as malware detection software, next generation firewalls, intrusion detection/prevention systems (IDPS), and data loss protection (DLP) technologies.

What can individual advisors and clients do?

 1. Ensure your operating system and software are configured to update automatically.  Waiting for an update to install can be frustrating, but it’s nothing compared to the sinking feeling you’ll experience if your system is compromised.  As a bonus, you’ll no longer see those annoying reminders in the task bar.

2. Consider installing malware detection software on your computer.  This would be in addition to any anti-virus solutions already installed.  There are many free and low-cost malware detection and eradication options available.  Research the tool before installing to ensure it is legitimate and properly supported.

3. Encrypt critical and sensitive data.  Password protecting spreadsheets, Word documents, and PDFs containing sensitive data will greatly reduce the impact of a Zero Day attack on your computer.  The attack may compromise your system, but it won’t be able to decrypt your protected files.  This could spare you many uncomfortable phone calls.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a Registered Investment Advisor.

Hacking human nature

O'HaraJim O’Hara, CISM, CISSP, CEH, Information Security Officer

As organizations have improved the technical controls protecting their assets, hackers and fraudsters have adjusted their aim – to human nature.  Why spend countless hours picking at an impenetrable lock when, with a little trickery and sleight of hand, the owner will happily provide the key?  Why don black clothing and a ski mask to risk life and limb committing a crime when you can perpetrate the same act more effectively from your couch?  In your pajamas.

Social engineering attacks have risen to levels not seen since 2004. Attackers prey on a victim’s complacency, good nature, and desire to please.  All characteristics inherent to human nature.

A-phishin’ we will go…

Far and away the most prevalent form of social engineering, email Phishing, has become the fraudster’s weapon of choice.  These types of attacks are relatively simple to perform, and enjoy an incredible return on investment.

Fraudulent email accounts can be created in seconds, at no cost.  Key organizational contact information is just a web search away, often listed on the victim’s own website or social media profile.  Fake websites can be constructed in minutes and hosted for less than a dollar a day.  Each of these elements combine to represent a highly effective and efficient tool for theft.  Theft of identities, reputations, intellectual property, and cold hard cash.


Email phishing attacks typically have one or more of the following characteristics:

  • The email sender appears to be an individual or entity known to the victim. In many cases, the “friendly name” of the sender is identical to an advisor, associate, or organization familiar to the victim.  Only through closer inspection does it become apparent that the actual address used by the sender is fake.
  • The email content appears to be of a pressing, urgent nature. When given a time constraint, humans are more likely to leave caution to the wind, set aside better judgement, and bypass normal procedures.  Attackers often attempt to create a sense of urgency in order to exploit this aspect of human nature.
  • The email contains links. Phishing emails often contain links to fraudulent or malicious websites.  Fraudulent websites are often spot-on doppelgangers of their legitimate peers.  The attacker’s hope is that the victim will attempt to log onto the fake site, revealing their credentials, which the attacker will then use to access the legitimate site, or other accounts of the victim.  Malicious websites often contain malware designed to exploit weaknesses in the victim’s browser.  Once installed this malware may be used to collect credentials, log keystrokes, or perpetrate other criminal acts using the victim’s computer or device.

Protection must remain a top priority at all times

In an increasingly rapid service-on-demand digital age, clients expect transactions to take place almost instantly.  Advisors have a strong desire to please their client by meeting that expectation.  This is human nature.  Making a distribution happen quickly will please the client, and is a “win” for the advisor.  But is it still a win if that quick client distribution is executed based on fraudulent instructions and deposited to an account controlled by a hacker?

The key to thwarting social engineering attacks is recognizing that protecting your clients and their assets is your top priority.  Airline passengers hope to arrive at their destinations on time.  But they don’t fault the pilot for following the preflight checklist, avoiding dangerous weather, or getting clarification from air traffic control when the flight plan seems a little “phishy”.

How to protect yourself and your clients:

  • Be wary of email instructions. Email is the fraudster’s preferred tool because it is effective.  Email should never be relied upon as reliable and authentic.  Even messages from legitimate addresses are suspect, as the sender’s account may very well have been compromised.
  • Keep human nature in check. Instructions or requests attempting to impart a sense of urgency, requiring quick, atypical actions on your behalf should be regarded as especially suspect.  Recognize the potential intent of such tactics and stick to your regular procedures and processes.
  • Pick up the phone. It is highly recommended that advisors verify client distribution instructions in-person or via telephone.  Confirm the identity of your client, and ensure the instructions you’ve received are accurate.

At Brinker Capital we are committed to continually improving our technology and security policies in an effort to stay ahead of current cyber threats within the industry. Together, we can take steps to help keep client information safe.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a Registered Investment Advisor.