What is the first thing you do when you wake up in the morning? If you’re anything like me, you either turn off the alarm and go back to sleep, or you reach out to your phone and check on your social profiles. Nothing like a few likes to start your day… right?
Thousands of Facebook, Instagram and Whatsapp users woke up on Wednesday with that same intention: checking on their precious social profiles and messages. With one little exception: they couldn’t.
While company quickly confirmed the outage was not related to malicious efforts, questions had already begun swimming around inside users’ minds… “Was Facebook hacked? Was I hacked? Is the world ending?” These questions kept me thinking.
As someone who has worked with high-end technologies his entire adult life, I’ve been able to collect some useful tips on how companies can prevent a hack along the way. Here they are:
The best way to prevent a hack is to pretend the hack has already happened. The backend should not trust the information coming from the frontend. Credentials, amounts, all data should be double-checked. The reason? Frontend is simpler to attack.
If the hacker gets access to a device where the application is running, he can download the app to a computer, decompile it, look through the code, modify it, rebuild the app, reupload it to a device, and then exploit its vulnerabilities. I insist: never trust frontend.
Every attack costs money and time. By making sure your security is not compromised by a single person, place, datacenter, or provider, you’re raising the cost for the hacker. For the attacker, a diversified security system translates into cracking multiple encryption algorithms, firewalls, etc. The rule is clear: make a potential hack as expensive as possible.
By raising your company’s security status to “too expensive to hack”, you considerably reduce the risk of becoming a target. The easiest way to think about it is looking at your competition. If your systems are more expensive to hack than other players in your field, you’re indirectly channeling hackers to easy money targets.
Let’s take Sony as an example. The company was hacked in 2011 by LulzSec — an organized hacking group — and it costed more than $170 million in damages. The hackers got names, passwords, emails and personal addresses of nearly a million customers.
While that might sound like enough reasons to upscale their security, the company remained on the cheaper end of the hacking grade. Evidence? The same hackers hit back against Sony, not Universal Studios, not Disney,… Sony! But ok… hackers costed the company much less than the previous time, just $100 million.
Intrusion tests are very helpful. All serious financial institutions conduct them. Crypterium is no exception. There are basically two kinds: black box and white box.
Black-box testing works under the assumption that the internal structure of the company is unknown to the tester. White-box testing, on the contrary, consist of giving the tester knowledge on your internal structure. During Beta stage, these tests were helpful to spot some minor bugs. Nothing to worry about… they were all fixed!”
One of the common and most effective ways to attack a company is through the people that work there. A hacker can offer your employee a million dollars in exchange for a password. They can also trick your employees to provide sensitive information. Separation of duties (SoD) restricts the amount of influence held by your employees. SoD plays a major role in preventing conflicts of interest, fraud and abuse cases. It also helps in detecting potential security breaches, and other threats to security.
Last year, Witness French film production and cinema chain Pathé found themselves in a mess of a kind. Several top executives fell into a trap of the so-called “CEO fraud” — a social engineer email scam. The mechanics are pretty basic: a fake CEO or business leaders instructs employees within the organization to wire money to a designated location.
In this particular case, the business email compromise (BEC) scam costed the company about $21 million. Instead of focusing on why the CFO didn’t spot a fraud, but why did the systems in place allow the executive to make large payments in such an arbitrary way. And so it seems French justice agrees with my vision. Following these events, a court ruled in favor of the CFO, finding him not guilty of charges.
Encryption is certainly a must when it comes to preventing hacks. Modern storage systems allow us to transparently encrypt all data. If a hacker gets access to the underlying hardware, he or she won’t be able to read data as it would be encrypted on a higher application or data level.
Educating your entire staff on security is crucial to avoid putting the company at risk. Without enough understanding on how hackers operate in today’s digital ecosystem, your employees are in danger and therefore, your organization too. Exaggerate? These are real cases. An employee gets a call from a ‘boss’ asking for a password. A salesman clicks on a shady link when searching information about a client. Teaching people how to prevent and quickly react in each of these situations might save you a big headache.
There is a preconception that if you don’t tell anyone about your security, you will be more secure. In reality, this doesn’t work. Your company’s security cannot be based on the idea that ‘you think nobody knows how your company is secured.’ Why? Because, like it or not, someone will leverage that idea to hurt you. That’s precisely why the world’s secure algorithms and programs are open source. They are inspected by everyone. Openness is what makes security.
As deputy CTO at Crypterium, I can tell you this: our developers are doing their best to minimize all risks of an attack. Moreover, they’re also doing a lot to ensure your credentials remain in the right hands (yours, of course). This is how we make it safer:
Crypterium is planning to implement a two-step authentication (2FA) in the nearest time. This solution helps in preventing unauthorized access to your account by requiring you to enter a unique code when you sign in and perform specific actions within the app.
Also, the hosted wallet model contributes in keeping your data off the radar. If you forget your password or lose your phone, you can regain access to your digital assets smoothly. This is something other wallets simply can’t do. Hosted wallets work pretty much as an online banking app: you trust your private keys to a third-party in exchange for security.
Another distinctable point about this type of crypto wallet is the ability to revert unwanted transactions. Imagine that some intruder tries to make an internal transaction with the Crypterium App. If that transaction was processed on blockchain, it would be extremely difficult for us to revert it. Keeping internal transactions off-chain helps users recover their funds easily. An interesting read on this matter here.
On a personal note, I suggest you to treat your credentials as something that really matters to you, like your bank card or car keys. Your credentials are the very first line of defense against internet thieves. If you’re using your address, school, or a lazy Star Wars reference for your password, it’s time for a serious change. Checking the websites you are visiting, web browser certificates and the use of a password manager will also help you prevent potential attacks.
Let’s face it: no code is bugless. Hopefully, my tips will help your stay safe for a long time.