by Nirmal John
The other two who were apprehended were his accomplices. Kumar was giving out the bank account numbers of Ajit Singh and Praveen Dev to those customers who agreed to complete their deals. Singh and Dev were paid a 15 per cent commission for letting Kumar do this.
At around Rs 1,25,000, the total amount they swindled was not by any means large, but as Khan points out, that was enough money for the three to make a play for it. The three were from lower middle-class backgrounds, and they perceived that amount to be worth the risk involved.
For Khan, the one feature of this case that stands out was how convinced the three were that they won’t get caught. India is used to the idea of physical theft, but most people haven’t got around to understanding theft in cyberspace. ‘These youngsters clearly were not professional thieves,’ says Khan. ‘They thought they could make some easy money with the data they had, and then move on without getting caught. They also told me that they just didn’t believe they would be caught. I don’t think these are the sort of people who would have resorted to theft and swindling of money in the physical world.’
Their experience of the brave new digital world until that point, he says, gave them an illusion of invincibility. It is the same illusion that makes trolls on message boards and comment sections on the Internet say things they wouldn’t dare utter to anyone face to face. As a research paper from Stanford University and Cornell University, published in early 2017, suggested, ‘Under the right circumstances, anyone can become a troll.’7
That can be extended to crime as well. Under the right circumstances, anyone can become a criminal in today’s day and age. To an extent, this is probably true especially when it comes to making easy money from behind a computer screen. To take the liberty of slightly changing that sentence from the research paper, ‘Under the right circumstances, anyone can become a criminal online.’ The illusion of anonymity that the Internet seemingly afforded was what made Kumar and company feel safe. Sadly enough for them, data, as it always does, left a trail that could not be erased.
The three were kept in custody at the Kasna Jail in Noida and were slapped with cases under a whole host of laws, including Section 66-C of the Information Technology Act, which deals with ‘identity theft’ and 66-D, which looks at ‘cheating by personation by using computer resource’. Kumar, who was deemed the kingpin of the fraud, was kept in remand and was denied bail several times by the court.
* * *
The perception that most of the threat to your data in the digital age comes from an all-knowing smart-ass programmer sitting far away in a basement tapping away at his laptop is not exactly an accurate one. Sure, breaches of data by this sort of sharp hacker who keeps at it until he circumvents the defences does happen often enough, but not nearly so often as data theft that happens because of individuals who are careless or ignorant or, as in this case, are just out to make a quick buck and take a sharp jab at a former employer.
The theft of customer data from Tolexo certainly wasn’t a sophisticated breach by any stretch of the imagination. There was no fancy hacking involved, nor was there any vulnerability of the software that was capitalized on by the perpetrator. All of what happened at Tolexo was decidedly low tech. The theft came by way of Kumar simply continuing to access his team’s email and from his having forwarded himself a few emails. It was a combination of two things—a vindictive young employee with an agenda against the company mixed with a penchant for making easy money, and an organizational system that failed to encourage employees to follow basic security requirements, like keeping passwords to themselves.
True to the cliché that most people in the business of providing security peddle, the security of companies can only be as strong as its weakest link. That, more often than not, simply comes back to the people factor. Much of Tolexo’s pain in this instance came from the lack of importance given to creating a culture of security. That results in an ill-informed workforce making ill-informed choices.
Passwords have especially been a bit of a pain point across data access control systems. It is not the most secure way to authenticate a user, but is far and away the easiest and most popular one. While Kumar from Tolexo knew his manager’s password because it was shared among the team, there are many millions who have laughably simple passwords that are easy to guess. Passwords form an intrinsically weak part of the security apparatus because, simply put, there are way too many passwords that every individual ends up having to remember in the digital world. There are passwords for email, social media, banking, office computer, personal computer, phone . . . the list goes on. Easy-to-remember passwords take the headache away.
In the battle between the inconvenience of remembering a complicated but safer password and the ease of recalling them, far too many opt for the latter. This lack of common sense while deciding on passwords has been a source of headache for security professionals in many companies. That has resulted in a rather shocking statistic. According to the 2017 Verizon Data Breach Investigation Report, ‘63 per cent of confirmed data breaches involve using weak, default or stolen passwords.’8
SplashData,9 a security research outfit that publishes a list of common passwords every year, came out with a list in 2016, containing exactly the kind of passwords that leave researchers scratching their heads.
1 123456
2 password
3 12345678
4 qwerty
5 12345
6 123456789
7 football
8 1234
9 1234567
10 baseball
11 welcome
12 1234567890
13 abc123
14 111111
15 1qaz2wsx
16 dragon
17 master
18 monkey
19 letmein
20 login
21 princess
22 qwertyuiop
23 solo
24 password
25 starwars
In instances where the password protocol mandates numbers and other characters to be part of the passcode, employees find an easy way to accommodate the mandates by using popular variations of ‘Companyname@123’ or some such easy-to-crack-in-a-few-tries passwords. One doesn’t exactly need to master the darker arts to brute force (a cryptographic term for trying all possible combinations of passwords one after another until the attacker gains entry) one’s way through such simplistic passwords.
Across businesses, there is a need to rethink access control protocols. One of the solutions being discussed is the introduction of multi-factor authentication in the corporate space. That could happen through PINs sent to the phone number of the user, just as with credit card authentication, or through biometric authentication, like a fingerprint or an iris scan. While there are ways to circumvent such controls too, it does make such access far more secure than just having a singular password layer. These solutions may introduce a layer of complication, but that may not be such a terrible pay-off if embarrassment and payment of damages can be avoided.
Incidents like the one at Tolexo suggest that corporate human resources departments also need to do a lot of pondering. How do you ensure that employees who are dissatisfied with their appraisals don’t potentially create embarrassing situations for the organization? Further, it is important that an appreciation of information security be made mandatory for all employees through rigorous training. This is especially true in India, where many millions of youngsters are just starting to lead a digital life as they join the corporate workforce. What companies can do is to give them compulsory training in security and, as a Verizon report suggests, ‘Encourage/reward them for reporting suspicious activity such as potential phishing or pretexting attacks.’
There is statistical evidence that proves the need for HR intervention in security matters. A PwC Global Economic Crime Survey states,10 ‘More than one in every four organizations in India are impacted by economic crime.’ The same survey suggests that 61 per cent of the time ‘economic crim
es in India are committed by employees within an organization’. That is a scarily large proportion.
It is equally important for smaller companies to invest more in shoring up their perimeters. Start-ups, which run on limited money, often ignore data security, even though they all acknowledge data to be one of their key assets. Anecdotally, casual conversations with multiple founders of start-ups suggest that while they do know they need to shore up their act on the security front, they simply don’t have the money to implement the best practices. Some of them still believe that bigger companies have to worry about data theft. What happened at Tolexo shows that is not the case. Small firms which are not of any significant scale can face situations that can blow up in their face if not anticipated and dealt with effectively.
Technology must also be used to flag off suspicious activities like simultaneous logins to the same email from two different IP addresses or attachment and forwarding of certain kinds of files over email. The technology in terms of software to enable this exists today, but most companies, particularly the smaller ones and start-ups, tend to ignore these basics.
Not so any more for his companies, says Brijesh Agrawal. He has made many changes in response to the instance of breach in his company. He has now deployed much deeper data integrity protocols. One of the first things he did once he found out about the leaks was to meet some of the best minds in the digital security business in India to do a review of his organization and advise him on how exactly he should go about building walls around the all-important data he is trying to protect. These security audits will happen periodically, and ensure that breaching the walls of his company will become significantly more difficult.
Tolexo found the going difficult for it since the breach, not particularly because of it, but because of the tough external climate prevalent in e-commerce. It has since announced that it will be changing its business model—pivoting, in start-up speak—from an e-commerce platform open to anybody to transact on, to a walled garden where companies evince an interest in the goods on sale and Tolexo follows up their interest by connecting them to suppliers.
Whatever may be the business model, the one thing that Agrawal has promised to do is to maintain close scrutiny of data security protocols—something he says he is investing in to make sure that mistakes that made this breach happen are not repeated.
CHAPTER 6
TAKING DATA HOSTAGE
The Era of Ransomware Is Well and Truly Here
On 27 June 2017, WPP, the holding company of the most storied names in the global advertising and communications industry, including Ogilvy and Mather, JWT and Burson Marsteller, issued a short two-line press release.1
WPP confirms that some of its information technology systems have been affected by a global cyberattack. WPP is assessing the situation and is taking appropriate measures.
On the morning of 28 June 2017, employees of Ogilvy and Mather in Mumbai, Gurgaon, Bengaluru, Chennai, Kolkata and Hyderabad logged into their systems to find that their Internet connections were unusually slow. With so much of what they do happening over networks, work crawled. It was especially painful for them that they were not able to transfer files through shared Winmac folders.
Things became worse that afternoon. The IT support staff of the agency went around each workstation with a request—to shut down all computers immediately. The employees were told that there was a virus in the network and this was a precautionary measure as mandated by the global management of WPP. Thankfully, their emails were still accessible on their phones. And so emails and phone calls went to clients, informing them of the situation. Because there was no indication as to how long the problem would last, most of the clients were warned that any work that was to be delivered would be delayed. There was, in effect, a lockdown at the agency.
The next morning there was a little more clarity on the situation, thanks to an email from the chief technology officer of the agency, Mike Tidmarsh. Given below is the text of that mail.
As you’re aware we’re still in the middle of dealing with the virus attack that’s affecting ourselves, WPP and a host of other companies.
We know for sure that the virus targets Windows machines; powering them down and then restarting them with all files locked and held for ransom. As yet it does not appear to affect other operating systems.
Action required of you: if you have a windows machine (PC, Desktop)—please shut it down, unplug and do not restart it until you get a green light from us.
What’s being done:
Teams from WPP & IBM are working with Sophos to find a suitable defence and restart approach—they’re confident that they’re closing in on a solution to patch the machines and make them safe. Until then we have to continue to take these painful steps to contain our risk—the less damage we incur, the easier it will be to get going again. WPP comms. are working to prepare suitable client comms.
If you’re infected, should you pay the ransom? NO!! Please do not pay any ransom.
Can you use a Mac? Yes—for now we have no evidence that Macs are at risk. (Unless you’re running Windows on it—in which case shut it down too). Phones, O365 email can also be used at this time.
We absolutely appreciate that this is having a massive impact on our ability to work; please bear with us as we work with our IBM and WPP partners to get this remedied.
Thanks, Mike
Mike Tidmarsh
Chief Technology Office
Ogilvy & Mather Worldwide
The bottom line was that work stopped completely. Advertising agency offices work on a non-stop cycle of action most days, and to have next to nothing happening was unexpected and unusual. What is usually a high-performing workforce was sitting around in office all day with nothing much to do, their hands clipped without access to computers.
Usually, the USB ports of the computers in ad agencies are deactivated to limit unauthorized copying of data to pen drives. Use of personal machines for agency work is actively discouraged. Obviously, advertising agencies work closely with the marketing departments of companies and have access to their strategic roadmap in terms of product launches and communication campaigns, and any leak of information can come back to bite both agency and client. Yet, during the worst days of the shutdown, whenever urgent work had to be done, some of the ad agency folk had to resort to using their personal computers.
Not everybody had to do that. A young creative in another WPP network agency said his clients were largely sympathetic about the difficult situation the advertising network found itself in. It would have been a different matter, he says, if major campaign launches had been scheduled. ‘Thankfully for me, there were none, and all of us could actually relax.’
Like this young creative, many employees across the WPP agencies were glad to get the unexpected break from the daily rigmarole. It was in essence a paid vacation—all they had to do was to turn up at the office and punch in their attendance, and they effectively had the rest of the day off. Some went to the movies, others had elaborate lunches and many lazed around playing cards.
Not everyone was happy though. What complicated the whole ordeal for WPP offices in India was that the finance departments of these agencies were in the middle of handling the shift to goods and services tax (GST)—the signature tax reform of the Central government. (GST, the indirect tax levied on goods and services, has replaced the existing system of VAT, excise duties and other levies in one swoop.) The GST regime was going to be in place starting 1 July, which was just a few days away, and the finance departments were desperately scrambling to be ready for it in time. What was already a complicated exercise was thrown into chaos by the lack of access to computers.
Industry publication AdAge quoted WPP CEO, Martin Sorrell, seeking to reassure the workforce as well as clients, saying there was ‘no indication that either employee or client data has been compromised’.
By Friday, the IT teams were working full swing to manually scan each work computer. They were also
installing updated software that would deem the machines safe to use. After they were allowed to access their systems, the advertising executives and creatives were expressly advised against opening any attachment from anyone unless they knew for sure that its contents were safe. As a young creative said, ‘Even if the clients were to send something with an attachment, we were asked to double-check and confirm if they had sent it.’
The attack that brought work at WPP’s premier agencies to a screeching halt was the global ransomware attack that went by the name Petya.
* * *
Cybersecurity firm Trendmicro defines ransomware as a type of malware that prevents or limits users from accessing their systems, either by locking the systems’ screens or by locking the users’ files until a ransom is paid. It combines the vulnerabilities that malware has traditionally exploited to get into a system with the end objective of directly making money.
In a successful attack, all you see when you try to boot up your computer or access the file which has been infected is a note from the hacker asking you to deposit money, usually in bitcoins, in exchange for access to your own computer. It is extortion and quasi-kidnapping for the digital era.
Ransomware has been around for a while in various guises, but the term saw a spectacular introduction into the public consciousness because of two attacks—that of Petya in June 2017 and, just a few weeks before that, of WannaCry, another ransomware—both of which left a global footprint. Both these attacks got considerable coverage in the media, especially WannaCry, which, with its catchy name, infected computers in around 150 countries. Businesses were brought to their knees by these attacks all around the world.