‘Lock your doors!’: MFAA anti-hacker warns brokers

Speaking at the MFAA lessons from the Optus data breach webinar (19 October), Kaesim Cybersecurity’s Paul Hankin emphasised the importance of two-factor authentication (2FA) to protect brokers and their clients — and everyone’s reputations.

The webinar included a summary of the Optus experience and lessons learned; tips on reducing cyber attacks; how to avoid ransomware shutting down your business; email fraud and phishing attacks — the best ways to prevent financial losses; working from home safely by securely protecting staff from home-based risks; and how to choose cyber insurance to ensure compliance.

“I want to tell you about the biggest industry you may never have heard of before,” said Mr Hankin.

“Essentially, cybercrime is now organised crime, and it’s fully industrialised.

“The revenues globally are three times greater than [US] Walmart, which is the largest retailer in the largest economy in the world.

“And it generates around 1.5 trillion a year in profits, which is more than the top five US tech companies combined.

“If there was a country, cybercrime would be the third largest economy in the world, after the US and China, based on the amount of damage that’s done currently.”

Australia sits around being the sixth most targeted country presently, but it is unfortunately first place when it comes to “ransomware”, which is increasing, he stated. Victims on average are asked to pay random close to $100,000 over a year, with a government hotline receiving a ransomware crime report around 60 times per day, he added.

Organisations that are hit range in size, with familiar names such as Toll, Canon, Spotlight, Service NSW and more recently Bunnings, TikTok, Uber, Optus, Medibank and Woolworths not out of target sights.

“Basically only 10 per cent of cyber attacks are reported… which means the problem is 10 times larger,” Mr Hankin explained.

“Honing in closer to Australian small-to-medium businesses, they’re a big target because they’re ‘low hanging fruit’, the easiest ones to hack.

“And government research shows what the cost ends up being $276,000 on average. Your business can be closed [up] to three weeks and you can suffer quite a bit financially, as well.”

Mr Hankin said hackers don’t focus on hair salons, gyms, or 7-Elevens, but rather professional services for ransomware attacks — with financial services, “…right at the top of that list.”

The upshot of the Optus hack

As for the widely covered Optus data breach, said to have affected 10 million Australians, ultimately the perpetrator turned out to be “just a kid who found some low hanging fruit”, who was discovered by a journalist trying to sell the Optus client data on “the dark web”, which Mr Hankin described as, “…eBay for criminals. It’s where criminals buy and sell your stolen data.”

“There are 24,000 scammers listed here that you can buy and sell stolen data to and from; they have over 1.5 million reviews,” he said.

In terms of how this happened, technically speaking, there was “… an API endpoint with no authentication,” which in layman’s terms means there was a database with no password protecting it, Mr Hankin explained.

“That’s all it was — the database on the internet with no password protection,” he said.

“Basically, [like] I’ve just left the door open and left it unlocked for anyone to walk in — and that’s the definition of what we call low-hanging fruit.”

What brokers need to do to protect themselves — and why

Mr Hankin recommended the following anti-hacking tips and techniques for broking and finance businesses to mitigate the risk of a cyber security incident.

*Use two-factor authentication on everything that you’re logged into — this is ‘two step’ login, so it’s something you know (password) and something you have physically (a code on your phone).

“Passwords are not enough anymore. They’re very easily hacked. So 2FA fixes this problem really well,” he explained.

“Check the security settings on all your software and all your websites — if there’s a 2FA option, switch it on!”

*Switch on 2FA on all your apps — including all your socials like LinkedIn, Facebook, etc.

“Especially on your social media accounts. They’re very commonly hacked. Imagine as a broker — brokers rely heavily on Google reviews — if you lost all your Google reviews in one day that you’ve built up over years and years,” Mr Hankin said.

*2FA pro tip — use a phone app to generate the codes (instead of getting text messages sent to your phone) and add anti-virus.

“It’s much more secure, as text messages are considered not secure. And also add any anti-virus protection to your phone because your 2FA is no good if your phone has been hacked,” Mr Hankin said.

*Use a password manager.

“It’s pretty much like you go out and lock your car doors when you’re parking your car so someone just doesn’t walk in the door and off they go,” he explained.

“Passwords? We all hate them, but we have to deal with them too. We know that 50 per cent or more [people] use the same or similar passwords for all their websites, which means if one of your websites has a data breach, hackers get that password and… can try that password, or variations of it, on all your other websites as well.

“Tip — use four unrelated words plus a number and that creates a phrase-relevant word — and make it unique, something you haven’t used before. So, four unique words plus a number.”

*Ransomware — avoid crippling your business.

As a concept, ransomware is pretty simple in that the hacker breaks into your computer via various ways, locks all your files and thus stops your business from operating, and usually, the hacker will continuingly demand large amount of money to unlock files, but never doing so as the demands and process cycles through, Mr Hankin explained.

“It’s worse now with a number of data breaches being reported in Australia. The specific stats are around $100,000 to fix the problem, and your business can be down for two to three weeks,” he advised.

“The strategy here is you need offline backup (not cloud) and any proper anti-virus business-grade, enterprise-grade... Not the free stuff.

“You [also] need to encrypt all your data, and you need to have cyber insurance as well.”

MFAA resources for brokers to access

During the webinar, the MFAA confirmed it had developed a set of frequently asked questions (FAQ) for its members as to what a broker’s rights and obligations are under various laws around data and privacy.

These FAQs also provide some guidance on how brokers could engage with customers and some tips around what brokers can say to your customers as “…comfort that their data is safe with you,” the MFAA explained.

The MFAA also launched a new comprehensive fraud and scam awareness training module for members, which it had been developing internally but in close collaboration with fraud investigators and legal experts.

It includes a number of in-depth case studies and it’s designed to give a really deep understanding of why fraud is committed and how to avoid these risks in business, the MFAA stated. 

Tailored information for discerning brokers

It should be noted that Mr Hankin — a former mortgage broker himself — has worked in the IT and financial services industries since 2001, combining his IT skills and finance experience into digital transformation (DX) projects for mortgage brokers, the MFAA explained.

By 2013 he was focused on IT security for offshore teams helping brokers and financial planners secure their back offices.

This involved working with single-broker offices, a top 10 broker with 17 staff across three locations from Melbourne to Nepal, and Yellow Brick Road.

[Related: Data protection predictions for 2022]