Episode 10: How a global crisis is a playground for cybercrime

Transcript of the recording

Cyrielle Chiron:
The past couple of months have seen Canadians shifting their daily habits and tasks digitally, be it for personal or professional use. In doing so, we've become increasingly reliant on online platforms for shopping, communicating, taking care of our finances, and even exercising. While it's been a necessarily shift, it hasn't come without its own causes for concern. Cyber crime has seen an uptick, prompting Canadians to rethink how they can protect themselves when online. For the payments industry, which deals with some of the most sensitive information that exists for both businesses and the individual, there is no time like the present to get informed.

I'm your host Cyrielle Chiron, and this is The PayPod, where we talk about all aspects of Canadian's ambitious payments modernization mission and explore the topics that influence payments in Canada and around the world.

In our previous episode, we analyzed how payments have shifted since the impact of COVID-19 took effect, bringing with it a new normal of online payments transactions. Simultaneously, we've also seen a rise in cyber crime as fraudsters are quick to take advantage of this shift, whether through hacking Zoom calls or increased phishing attacks, which is what our two guests will be diving into today. It can be nerve-wracking and a potentially dangerous situation if you do unfortunately fall victim to it, but they are ways to protect yourself and your organization as best as you can.

Joining me today is Alex Frappier, Director of Strategic Partnerships at CanCyber, a non-for-profit organization. Alex has over 20 years of experience in security and threat intelligence with the private sector and government of Canada. He is a certified master level social engineer and currently doing a master's degree at the Manchester Metropolitan University in the UK on communication behavior and deception with a focus on deception techniques used by a hacker on social engineers.

We'll also be speaking to our very own Martin Kyle, Chief Information Security Officer at Payments Canada, where he applies his understanding of cyber security to problems facing the modern payments landscape. Martin has been involved in the design of international standards, government and corporate security policy, commercial software releases, predictive risk models, and patent awards. We're excited to have him join and provide his unique perspective.

Thank you both for being with us today on the PayPod.

Martin Kyle:
Well, thank you, Cyri.

Alex Frappier:
Thank you, so much.

Cyrielle Chiron:
So I'm really pleased to spend some time with the two of you, actually, and understand more about cybersecurity. Before we start speaking about what we need to be aware or can do us as citizens to avoid any issues online, I'd like to start with you, Alex, because your background is very interesting. So coming from the human behavior side of the cyber industry, I think I need to understand a bit more about this. I would have never put human behavior and cyber together. So enlightened me a little bit, please.

Alex Frappier:
Thank you. Actually, it's quite interesting. Because we often think about the different types of attacks, and we think of it as being really technical. But at the end of the day, most of the attacks that we're seeing are what we call social engineered. So there's an element to it where we attempt to basically change somebody's mindset or get them to conduct an act that they wouldn't do otherwise.

So as such, if you're looking at phishing, for example, phishing emails, you need to have some type of understanding of psychology in order to get someone to click on that email while they wouldn't necessarily do it. Other attacks like, voice solicitation, is pretty much the same thing. You're going to try to bring somebody in a very specific path, change their way of thinking, and this is how you're going to be successful in your attack.

So the human behavior part, there's there's many, many aspects to it, which on the physical side as well if you're looking at deception detection, if you're looking at impersonation, people trying to get into a building, a facility. There's ways to actually protect yourself on this by looking at the actual mindset behind it. The understanding of the behavior allows us to really understand how the attacks are being done, why they're being done, and what are they using to make these successful.

Cyrielle Chiron:
Wow, that's pretty intense. I like the trying to change the behavior. Well, talking about that behavior and what motive you could have behind, so can you tell us a little bit of what motives actually like behind the sort of activities that are occurring in Canada or globally? And what are the key behaviors you've seen that citizen may be able to look for to avoid any of those issues online?

Alex Frappier:
You know what? I think that it's not necessarily the type of behavior we need to pay attention online, but more to be aware of our own behavior and the way that we actually respond to specific events.

When we're talking, generally speaking, influence emotions, there is a concept called the amygdala hijack. The amygdala is a small part of the brain that basically processes emotion. If you are feeling fear, anger, could be disgust, but any strong emotions, your thought pattern changes. While you may be very used to working, for example, security, you know your emails, you know what's happening, hackers or social engineers will use these to affect your way of thinking. So they will actually hijack your amygdala to create an emotional response that's going to affect the way you will respond to an event.

So one of the major why is it so important today with what we're living, often they're going to go on a major event in the world, a disaster, something that people read in the news and they're really affected by this. So right now we've got the perfect scenario with the pandemic going on.

Cyrielle Chiron:
Indeed.

Alex Frappier:
It's big, everybody knows about it, everybody talks about it, and people are scared. So that's a very easy way to introduce a scare or panic into any email or any type of actual discussions.

The other thing is working out of your environment. People aren't really good when you're not in your typical environment. There's a bunch of distractions, there's a bunch of different things that will affect your regular thought pattern. When it comes to security, you need to be thinking clear. You need to know, is this a threat? How do I behave? How do I do this? It's through basically user either reputation or training that we usually stay safe.

So right now the pandemic is huge for this. A huge, huge, huge opportunity for hackers.

Cyrielle Chiron:
Just some examples that you could share with us that happens in the pandemic?

Alex Frappier:
So if we're looking at most of what we call indicators or compromises, or the emails when it comes to phishing, a lot of the domains that have been found to be used by criminals are linked to COVID. The list of actual new website or domains that are COVID related is completely amazing. It's by thousands. So people register new domains, and they will send an email saying, would you be interested in either donating, or there's really important information that you might have been targeted or you might have been in contact with someone, please click here for more information. That click might be what's going to get your computer infected.

Cyrielle Chiron:
Wow, okay. Yeah. That's pretty good to remind everyone, because those emotions, you can't necessarily control them all the time. Especially during times where it is a crisis like today.

I'd like to go back a little bit after and discuss that further. Before that, I'd like to talk to you, Martin, and I'd like to tap into your payments expertise here, because I know you have a lot. Payments fraud is nothing new, right? I know this is something we talk a lot at Payments Canada. That being said, as the payments industry continues to see rapid change in terms of available platforms, technology, et cetera, how have cybersecurity threats evolved with them?

Martin Kyle:
In summary, cybersecurity threats have become more sophisticated, and those threats in the payments world, they can materialize the individual or they can move all the way up the food chain, if you will, into the businesses, and even the wholesale system.

Take for example, the heist of the Bank of Bangladesh in 2016. So that was a central bank that suffered a compromise that cost them over a hundred million dollars, and only a portion of that has been recovered. That operation involved malware that had been on their systems for months, allowing threat actors to learn the business processes needed to get that money out from their account at the Federal Reserve to offshore accounts in foreign countries, in, in fact, individual accounts.

Now some of that was recovered, of course, but the sophistication of that type of attack is much greater than perhaps the attack you might see for an individual on their own online banking account or within their own computer.

Cyrielle Chiron:
Mm-hmm (affirmative).

Martin Kyle:
Generally the cybersecurity threats have become much more sophisticated. Why is that? Well, we also have nations who operate their cyber tools in alignment with their mandate to support national intelligence objectives. But sometimes those tools, they make their way into the hands of criminal organizations. Once the criminals get ahold of these very sophisticated tools, they're easy to replicate and build into frameworks, and those tools are then used to exploit the individual or financial systems or other targets.

Adversaries themselves, they differ in their sophistication levels. While we can classify them into general groups like the script kitties, hacktivists, organized crime, terrorists, or even state-sponsored adversaries, one thing is true: The tools, tactics, and procedures they use are always evolving. That evolving threat forces us to stay on point in a defensive position.

Cyrielle Chiron:
Right. Well, that's pretty interesting. So on one side we talk about the human brain, going into our emotions, and then the other side, like everything is evolving. Even if you are evolving your response, they kind of build on that and able to threat. So you always have to be on alert, right?

Martin Kyle:
Exactly. It's an arms race, if you will.

Cyrielle Chiron:
Yeah. Exactly. Well, that's pretty interesting.

So now that we kind of understand that better, is there any consistent gaps or mistake that either of you often see Canadians make when it comes to protecting themselves or their business online? So obviously not sharing too much personal information on social media will be one you will tell me, but what else can you share with us?

Maybe I'll start with Alex first, and then we'll see what Martin can add to that.

Alex Frappier:
Yeah. I think one of the issue is we're aware of the threat as organizations, and Martin is right, there's new tools that are coming from state actors, but there's also the availability of these tools either on the dark web or very easily with Chatbox that people will direct you in the right place. So companies are aware of this, and we do provide some user awareness training. But this training is often too limited in scope and it has not prepared us to actually work from home.

From home, you've got a completely different setup. Often your distractions are going to be much greater, but you will also mix your personal system with your work system. Some people will open their emails on both. They're going to have kids running around, so the distraction is at its max level. I think the lack of preparation or training in regards to this is really catching everybody off guard. Because you're not too sure what to look at. You're not too sure what do I do in this new environment?

I talked about some impersonation attacks by email. Phishing is easy. But you've got the same thing with phishing, which is voice solicitation, where are you going to impersonate somebody else in your company to basically open or click something. The same thing happens with SMS. So you could do smishing, which is on text messages attack. But there's no way right now, there's no system in place, that allows companies to properly identify who's actually sending the email. So you might be receiving an email from your boss asking you to conduct this or open this document, but it could actually be a threat actor.

We've seen this many times where impersonation gets done not only on email, but also on the phone. They're going to listen to the voice, because often now there's video, there's podcasts, there's so many things where you can actually get the right tone of somebody's voice, and you just call and you impersonate them. You can see the call regardless, but if you're confident in the way you are talking, people will feel this and then they're going to start to doubt, and you could direct them to do very specific stuff like open this. I need a transfer of this amount of money right now. I am actually doing this, I'm stuck with that, I need it rushed, and people actually do this.

Companies have lost hundreds of thousands of dollars by these typical frauds. But these were done at the office where people were already somewhat protected, but doing it at home, either with the contact information, the video calls, or if your phones are being forwarded, people aren't prepared for that. So I'd say a lack of training is probably one of the biggest issues. People aren't prepared for this.

Cyrielle Chiron:
Right. So maybe I should change the pitch of my voice to make sure they're not copying my voice when I'm speaking right now. But that's a very good point, right? We are moving from being in an office all the time using professional assets to now using both. That's something very interesting that you're pointing out.

Martin, is there anything you would like to add to that as well in trying to see what are the mistakes that we often do, Canadians, that make us into those situations?

Martin Kyle:
Before I touch on the mistakes, I'm going to actually touch on the good behaviors, and then I'll invert them and we'll talk about the mistakes. So there's a security journalist out there by the name of Brian Krebs, and he has a few basic rules for staying safe online. The first one is if you didn't ask for it, don't install it. Taking from what Alex has discussed in the social engineering aspect of threat actors attacks, if you didn't ask for that email, maybe you should be suspicious of it.

So the first rule is if you didn't ask for it, don't install it or don't open it. If you installed it, keep it updated. If you don't need it anymore, get rid of it. So you can apply these rules to all of your software applications, your operating system maintenance, and even firmware associated with hardware devices in your home, like your home router. When's the last time you updated the firmware on your home router? That's an important thing to do.

So the inverse of these rules are the mistakes. For example, install or open everything put in front of you. No, don't do that. Or never update whatever you install. Don't do that either. Or never delete those old applications. Don't do that. So those are the kind of key mistakes.

These rules are all about minimizing what we in the trade call your attack surface, or the opportunities you present to a would be adversary. Because the threat environment constantly changes, individual users need to maintain their kit to stay ahead of these adversaries. These simple rules will give them a way to do that.

Cyrielle Chiron:
Yeah, that's great. Those are good tips, thanks. I think it's good to remind what you can do.

I'd like to go back into what we were talking about working from home and using personal assets and professional assets. Even if you have to have dates and everything, what could you do when you are an organization and your staff is using both, how can you control that, right? Making sure that those cyber security threats are being on the personal assets and not the professional assets. What should you keep in mind? We talk about from the consumer point of view, but what about the company, like the one where the staff is using those different assets?

Alex Frappier:
Yeah, I think it always depends on what you do and how you do it as a company. But first thing would probably be if the company is able to provide an actual dedicated laptop or system that people can use separately and not start running their videos and everything on them. Because there are a malicious links out there that people can actually click. If they're bored and they're using your system for both, that is already a problem.

The other thing is while we are at work, there's two tips that I think that are important. One is don't post necessarily on social media what you do and how you do things, because that's a very interesting way to conduct an attack. If I know that you're using software you're not sure, I'd be tempted to actually contact you as somebody from the company and tell you that you need to install this very specific software file.

As a company, you do want to have here are the dedicated or the actual equipment we're going to use here, the system files we're going to use. So we're talking system files, docking file types, and talking different software. So it's got to be clear from the beginning what are the expectation? And if there's a decision that you need to connect to get access to proprietary information, internal database, for example, it needs to be secured, but it also needs to have a minimum of two-factor identification. If somebody calls or sends an email to ask you to do something that would potentially have a great impact on the company, in theory you need to also have that human second factor of the notification.

So if you do get an email from your boss saying, I need you to transfer that amount of money, I need you to conduct this action. Well, I'm going to follow up with a call just to be sure that actually, yes, I did ask you this and do it. It's something that is easy. It looks very annoying. It's like, ah, it's extra steps, I don't need to do this. But that's true until you actually get a criminal that gets access to your bank account. At that point, it's like, well, that was a very small step just to make sure that my environment is secure.

So I think that would be like two small things. Don't post what you do, and try to have a dedicated system with really clear information and guidelines on how you actually need to use them.

Cyrielle Chiron:
So I don't trust if somebody is telling me they're going to send me a bunch of money from Africa. It's not true, I have to confirm that before.

Alex Frappier:
It depends if there are a prince.

Cyrielle Chiron:
Yes, obviously.

Cyrielle Chiron:
I'd like to turn to you, Martin. I want to talk about payments more specifically. I know this is something we speak a lot at Payments Canada, and I think it would be good that you share your knowledge with our audience. So on one side, I want to talk about Payments Canada specifically, and then I want to talk about the payments organization.

So for Payments Canada, how has Payments Canada mitigated or identified increased security risks to the industry since the start of COVID-19, and then how have payments organizations since adapted to those risks?

Martin Kyle:
So Payments Canada, we operate an active threat intelligence program. So that's a program that is focused on researching what threat actors are doing so that we can prepare our systems, our processes, our employees, for those threats. So we have some seasoned experts there, and those people in our program, they have strong relationships with our partners to share this threat information amongst the industry.

Through that threat research, we're able to receive and share certain indicators that help us arm our defenses. Those defenses can be technology, they can be improved processes, they can be employee awareness or strengthened and more resilient people to these threats.

So we run an internal security awareness program at Payments Canada that teaches everyone five basic steps. Those are know your important stuff, protect that stuff, be aware of any threats to that stuff, report anything suspicious, and always have a backup plan. We call it our Be Vigilant in Any Situation Guidance to Employees.

It's really the same type of process that you would use if you had something valuable physically, as opposed to something valuable virtually, like an information asset. You simply want to identify those things and know what's valuable or what's important, protect it, be aware of any threats to it, report anything suspicious, and then always have a backup plan if something goes wrong.

Cyrielle Chiron:
Yeah. I like the backup plan. I think it is something maybe sometimes we forget.

We talked a bit of tactics when you were saying what are the good behavior, I like to explore that a little bit further. We have, obviously, talked about Canadians being vigilant and understanding and being aware, and also your emotions. Is there anything else that you think we can implement? Is there any cyber SEF tools or anything that can protect ourselves now and beyond the pandemic?

Martin Kyle:
Absolutely. The first thing I'd like to touch on, there's kind of three things that I think are really important here. One is having good password hygiene. Part of that means don't reuse the same password across many different applications. If you have a password that gets compromised at some internet service and you've reused that password, then the threat actor can take that password and try to stuff it into your other applications and compromise the rest of your life or, hopefully not, your business.

So password hygiene is really important. There are some good tools out there that will help you with that. I recommend using a trusted password manager.

Cyrielle Chiron:
Right.

Martin Kyle:
There's also a service, secondly, that I want to touch on that has come out recently to help Canadians protect their internet traffic, and that's a free service from an organization called Cira. C-I-R-A. It's called the Canadian Shield. It provides you with a domain name service that can filter malicious domains in your internet browsing. I would recommend people use this service to protect themselves.

Then finally for a third recommendation, our government, through the Canadian Center for Cyber Security, provides resources at getcybersafe.ca. It provides resources on how to detect a phishing message, how to protect yourself online.

I think those three things are really important. Manage your password hygiene, protect your internet traffic with the Canadian Shield, and get cybersafe.ca.

Cyrielle Chiron:
Yeah, that's pretty good. Alex, is there anything that you think that you could add from your knowledge?

Alex Frappier:
I think just training people how to be safe with their personal finances, how to protect their personal computers, bank accounts, if people get the habit of actually being safe at home by using some of the means that Martin talked about, some of the tools that Martin talked about. So the Cira Shield is interesting. VPNs are very easy and cheap software that you can get that will also monitor some of your links depending on what you want. There's a lot of things, but we just need to really keep it in focus that if people are safe with their personal devices, they're going to be safe with the business as well. I think making them aware of this as a good thing.

All of this is pretty basic, and some of the links that Martin talked about will give you a whole lot of good examples in regards to how could you be safer at home. Because in reality, we're still looking at videos and snapshots where passwords are still actually on stickies during video conferences. So yes, updating is very interesting, but the obvious sticky is definitely a bad thing. There's still pictures all the time.

But more than this, you've got to be careful about your background. So I'm talking video conferences, for example. They're using a very unique background or they're using something digital to cover their background. The first thing I usually do that might be my training in social engineering, but I tend to look at what is at the background of someone. Can I see anything I could actually relate to, or that it could go back and ask questions and create a personal relationship with that person to build trust? Pictures, frames, kids, anything you've got in your background says a lot about you that could be used.

So video chat from home is one thing that you can discover quite a bit, but I'd say more than this. If you're from home, your work, your remote, lowering the distraction is going to be one of the major thing. Because you need to keep your mind straight and focus in regards to detecting the security and applying what you've learned. If you are heavily distracted, or you tend to do like I like to do if it's nice outside, I bring the computers outside and I work directly in my backyard. People can hear, and I am heavily distracted when that happens. So I'm a perfect victim for stuff like that. So it's a question of just being aware of your environment. The same thing applies to the working away from home, but now it's a tricky time.

Some people have said that at the beginning of the pandemic, there was a lot of increase in criminal related activities, targeted companies, because of the remote work. It seems to be going down a little bit. But as soon as something big is going to come up in the media, it's going to come back again.

Just don't think always, oh, it's the pandemic. I'm going to look for emails for COVID. It could be anything. Anything. And then use that as an impact or that's going to basically shake you up is something that you still got to be aware of. So lower these distractions will keep you better focused and will likely keep you better secured. It's a very, very easy thing to do.

Cyrielle Chiron:
Yeah, you're right. We open our home to everyone now with the working from home environment, so it's pretty easy to see things that maybe seems normal for you that can be something attractive for somebody that wants to do harm to you.

Martin, I'd like to specifically think about the payments industry overall. Do you think that there's some specific tactics that we can think about? Especially that right now we are moving towards stuff being a little bit more open, right? Like with the open payments, et cetera. Is there any tactics or anything that you would be able to share with us or things we need to think about?

Martin Kyle:
Well, I'm going to sound like a broken record here, because I'm going to go back to those five steps. Know your important stuff, protect that stuff, be aware of any threats to that stuff, report anything suspicious, and always have a backup plan. Those are my go to steps for being vigilant, and they apply in the context that Alex just described. Being in the backyard, working, and you're distracted. Maybe you're not quite as aware in that environment.

It's not something that you can just do once and forget about it. These are steps that you kind of have to do all the time and try to ingrain in your behavior, knowing where your important things are. I'm sure many of us know immediately where our phones are or where our keys are or where our wallet is. Having that same sense when it comes to our business assets is really important.

When we move from the individual to the business, or the small business, they have to kind of take these five steps and then unpack them and figure out what does it mean? That could be a daunting exercise when they may not have the expertise to deal with such sophisticated threats that we've discussed in this podcast.

But there are some resources out there, and again I'll sound like a broken record. One of the good resources is something that the Canadian Center for Cyber Security has published, and that's a list of the top 10 mitigation strategies that an organization can use to build a strong technology infrastructure. I'm not going to go through all 10 of them, but I'd like you to know that the list exists and they're very practical things. They're rank ordered, as well, in what's most important. You do the first one, and then second most important, do the second one.

Just to give you an example of one of these, I'll take the second one, for example, which is a recommendation to patch your operating systems and applications. Unsurprisingly, that's very similar to those three Krebs' rules that I talked about earlier. If you'd installed something, keep it up to date. So it's good practical guidance that helps a small business unpack what's inside of those five basic steps that I talked about. So I would recommend that folks go and look that up.

Cyrielle Chiron:
Yeah. I think those are great advice, especially for businesses or people who don't have a team of experts like you two to guide them. So I think those references are pretty good to share, so I thank you from everybody, I think. Because I was not actually aware of that.

One final question for both of you. So we only scratches the surface here today. I definitely learned a lot, so thank you. You talked about recommended sources and some tips. Is there any one final thought that you would like to share with our audience? We'll start with you, Alex, and then we'll go with Martin.

Alex Frappier:
There's one thing that's very important. You've got to remember as an organization, each of your employees is a potential target. How hackers get to select who they're going to target usually goes with how present they are on social media. So yeah, this is something we've talked about many times, but we definitely do use this. We definitely look at social media profiles, but you've got to think another layer.

One of the first things, there's so many open source tools that we could use to get all the emails associated with a company. So if you are being targeted and you notice something odd, it's like that email was really weird, don't sit on it, report it back to your company. Because that just means that you are one of how many other employees that are currently being targeted. It's incredible that you've actually spotted it and were able to stop it, but some of your colleagues will likely click on the link and will likely get you compromised or get the company compromised. So by sharing information, even if you are remote, you will enhance the chances of your security and the security posture of your organization.

In regards to actual resources, with social engineering there's quite a bit. I kind of like Christopher Hadnagy. H-A-D-N-A-G-Y. He runs two websites: Social-engineer.org and .com that has multiple references in regards to this. He's also written books. When it comes to actual using human behavior and emotions to target through cyber means any companies, it's really, really interesting to check.

If not, I've got hundreds of books on different topics on this, so I won't mention any of these now because that would take forever. But with a bit of interest, definitely there's a lot of stuff, and you can reach out to me personally. So you've got coordinates if you need to, at least my LinkedIn page, and yes, please reach out. I will provide more information in regards to just basic understanding and stuff that you can use.

Cyrielle Chiron:
Well, thank you for that. Martin, any final thoughts that you'd like to share?

Alex Frappier:
Yeah. Aside from the great term that Alex threw out there, watch out for the amygdala hack. I like that because we are product of our reptilian brain, I guess in some sense.

There are a couple things that I think we should be aware of. For the business, I would say understand your supply chain. There are many case studies of adversaries using your supply chain as a way into your organization. So understanding your supply chain and what threats and vulnerabilities exist within your supply chain is important. Certainly when you're signing on vendors or negotiating contracts, those are things that you want to understand because they will help you allocate risk appropriately in that process.

Also, if you're a small business or if you've got some system administrators out there who are trying to get more information, more actionable intelligence in this area, I would recommend the Canadian Cyber Threat Exchange. It's a not-for-profit organization, and that's a place where your system administrators can subscribe to indicators of compromise and threat reports and it will help them arm their perimeter defenses.

So those are a couple of good resources. For the individual who's listening to this podcast, you can get practical tips for staying cyber safe at getcybersafe.ca, brought to us again by our government and the Canadian Center for Cyber Security. Other than that, I would suggest if you really want to geek out and you're interested in the political intrigue of the cybers, I really enjoy listening to the Risky Biz podcast with Patrick Gray and Adam Boileau.

Cyrielle Chiron:
Great. Well, thank you very much, both of you. That was a really great discussions.

Martin Kyle:
Thank you, Cyri.

Cyrielle Chiron:
As the Canadian workforce remains working from home for the foreseeable future, longer than initially expected, actually, - well, at least for me - these concerns discussed today remains constant. As the Provinces continue a gradual reopening, we could see some payments shift back towards their pre-COVID state. But overall in a country that recently so saw Shopify surpass RBC as Canada's most valuable publicly traded company, online payments and their subsequent threats are here to stay. So remaining informed, vigilant, and aware is the best preventive method to ensure that your home office and network is secure.

On the payments front, the industry continues to work hard to provide fast and efficient services to customers. Thank you to both our guests for sharing their insight on how we can do exactly that.

That's all the time we have today, but be sure to join us next time as we dive deeper into Canada's payments ecosystem. I'm Cyrielle Chiron, thanks for tuning into the PayPod.