Panama Papers: Cyber security wake-up call
It was a monumental data breach: The Panama Papers’ revelation of the unethical activities of the rich and powerful. The leaks from the hitherto quiet Panamanian law firm, Mossack Fonseca, involve 2.6TB of data spanning over 11.5 million documents, according to the German newspaper Süddeutsche Zeitung. In a single hack, a whopping 2.6TB of data, the largest of all time compared to Wikileaks (1.7GB) and Sony Pictures breach (230GB), was hauled out of Mossack Fonseca’s computer servers. The attacker absconded with this vast trove of information undetected.
Was this an avoidable cyber security mistake on the part of Mossack Fonseca? Oh yes! According to reports from WIRED, Mossack Fonseca runs a version of Drupal and WordPress that was last updated in 2013 and 2014 respectively, a version of Outlook Web Access that hasn’t been updated since 2009 and sends unencrypted emails. These outdated softwares are known to have several vulnerabilities which an attacker can easily exploit to gain unauthorized access to computer systems.
Considering the kind of business Mossack Fonseca is involved in and the sensitivity of their clients’ information, one would have thought that basic security practices such as the application of updates would be taken very seriously, but that was not the case. Outdated versions of software that organizations fail to patch are one the most common sources of cyber security vulnerability today.
Unfortunately, the security mistakes Mossack Fonseca made are very common; most organizations in Nigeria are making the same mistakes. What happened to Mossack Fonseca and its clients can happen quite easily to most organizations in Nigeria. Infact, your systems may have already been compromised by hackers. You probably just don’t know it yet.
Cyber crime is a flourishing underground business in Nigeria, although most have been centred on the archaic Advance Fee Fraud (419) which involves little or no technical expertise. They merely use computer as a tool to perpetrate their crime. However, with advances in exploit kits, free hacking tools and leased hacking services, what was once only possible by highly skilled hackers is gradually becoming available to these Nigerian cyber criminals with little or no technical skill.
Acting Director General of the National Information Technology Development Agency (NITDA), Dr. Vincent Olatunji, recently stated that Nigeria has experienced 3,500 cyber attacks within the last one year, with over 70% success rate and a loss of $450 million.
Most if not all the ATMs in Nigeria are still running obsolete Windows XP operating system. The desktop version of Windows XP was retired by Microsoft in July 2014 while support for the embedded version – Windows XP Embedded Service Pack 3 (run on ATMs) was withdrawn in January 2016. Furthermore, support for Windows Embedded for Point of Service SP3 used in Point of Sales (POS) devices ended on April 12, 2016.
Thus, since January 2016, Microsoft stopped issuing further security updates for flavours of Windows still used by the majority of ATMs in Nigeria (and other countries around the world) and warned that any ATM still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The lack of security updates puts the ATM network at greater risk from hacker attacks and malware infection. Malware has already been used to infect ATMs and steal money through various scams in some countries around the world (especially Mexico and Russia). Although most banks will quickly assert that their ATM network is behind layered protection architecture with strict firewall rules. However, be that as it may, having an obsolete and unsupported operating system on a machine that is able to dispense cash to customers is still a substantial risk unless there exists a signed special premium support agreement with Microsoft.
Similarly, the CBN deadline for the installation of anti-skimming devices (devices that protect customers from ATM fraud) on all ATM terminals in Nigeria expired since June 1, 2014. Unfortunately, there are still some ATM terminals across the country without anti-skimming devices. It was reported last year on a national daily that a number of ATM terminals located in the Lekki and Victoria Island area of Lagos were hit by fraudsters with skimming devices (tools used for harvesting ATM PINs and card data).
The personally identifiable information including fingerprint (biometric) data of most Nigerians have been obtained by various governmental agencies such as INEC (PVC registration), FRSC (Driver’s License), Immigration (International passport), NCC (SIM registration), CBN (BVN registration), NIMC (National ID card registration), etc. The question is: Are these biometric data adequately protected? Few weeks ago, the Philippines witnessed a cyber attack on their electoral database (the Philippines’ Commission on Elections) with 55 million voters’ fingerprint and passport data stolen and leaked online. Similar incident occurred late last year in the US Office of Personnel Management (the US Government agency in charge of federal employee data) resulting in the theft of 5.6M fingerprint files.
What would criminals do with lots of stolen fingerprints, you may ask? Well, no one knows for sure the potential security implications, but what we do know is that biometric data (such as fingerprint) cannot be replaced once stolen. While it’s easy to update your password or get a new debit card, you can’t get a new fingerprint. The consequence is something you have to grapple with the rest of your life.
Curiously, the use of biometrics (something you are) is increasingly replacing password (something you know) as a means of authentication. There are already plans to introduce ATM terminals with fingerprint authentication into the Nigerian market for example. If you have an iPhone or a modern laptop, you probably use your fingerprint to gain access to them as well. There are growing concerns about how hackers might leverage them. We need to ensure that adequate security measures are put in place to protect the biometric data of Nigerians that were obtained by various governmental agencies.
While everyone can learn lessons from the Mossack Fonseca breach, it should provide a particularly loud wake-up call for every business in Nigeria (both in the public and private sector). Cyber criminals will continue to seek out and target profitable and poorly defended data.
• Welekwe is an Information Technology expert based in Port-Harcourt, Rivers State.
No comments yet