It turns out the recent iCloud celebrity “hack” wasn’t really a hack at all. There wasn’t some super genius computer geek that through superior knowledge of Apple’s infrastructure found a way into their inner system. It required no more skill than a common thief tricking celebrities into thinking an email they constructed was from Apple requesting them to sign in using their iCloud password. Once the password was acquired, the thief simply logged into iCloud as them and grabbed whatever they wanted. Sending an email masquerading as someone else is called “spoofing” and using spoofing to obtain confidential information is “phishing”. Unfortunately, both are quite easy to do and common in the Internet underworld: thieves prey on the unsuspecting, the busy user, or in this case targeted celebrities.
The consequences range from annoying to devastating. By clicking on a spoofed email — one that the recipient thinks comes from a trusted source like a bank, healthcare provider or a product company like Apple, many things can happen. On the annoying end, it may be a bogus email, advertising the latest in hair, breast or penis enhancements. On the devastating end, it could load a virus that disables your computer, grabs your information, or tricks you into revealing personal information that allows someone to access your bank accounts or private pictures.
According to RSA, $5.9B was lost globally in 2013 due to email spoofing and phishing without even counting the cost of data lost due to infected computers and the hours lost cleaning up the damage left behind. With over 180 billion emails sent every day and underground tools making spoofing even easier, this problem will only get worse if nothing is done.
So how can this be stopped? Well, users could scrutinize every email header and try to determine if the email came from the company or person it says it came from. But who has the time or expertise for that? And isn’t it in the corporate world’s best interest to find a solution to ensure that their emails continue to be opened and their brand not tarnished by bad user experiences? I am sure that a bank would not want their name associated with people losing their life savings by clicking on “their” email or the largest product company in the world linked to a scandal that exposed (pun intended) people’s most private photos.
Companies have tried to thwart spoofing by telling their users to never type in their personal information, including passwords anywhere except the company’s official website. During RSA Conference 2013 held in San Francisco, several companies offered their “solution” to the spoofing problem: educate users on how to spot spoofed messages, thus putting the onus on the potential victim to keep themselves safe. Considering the sophistication of modern phishing attacks, this is like telling residents of a town to keep their doors locked while the police go on vacation. In a perfect world this could work, but thieves are crafty and have an authentic looking link in the email to phony websites that look identical to the company’s real website. A remedy that puts the onus on users to determine what is real or fake is not a solution.
So far, victims of phishing attacks have had no legal recourse to recover assets lost this way. In one case that appeared before a German court,
“The court ruled that the bank was not liable, as it had specifically provided warnings to its customers against this practice [of the customer entering his credentials on a Web page that looked like his bank’s]”
“The plaintiff argued that the bank had a duty to protect its customers from the abuse of these codes,”The Local reported. “But the federal court upheld previous judgements by the district and state courts, agreeing with the bank’s argument that the customer should bear responsibility for falling for the con.”
Had the bank had a way to prevent the spoofer from luring the customer into providing the credentials needed to access the account, the bank would have had a harder time avoiding liability, as they would then have needed to explain to the court why they hadn’t availed themselves of a solution that would have protected their customers’ accounts.
In another case involving a US bank wiring assets based on a spoofed e-mail, the bank lost out (http://www.calbankers.com/compliance-bulletin/bank-held-liable-wire-transfer-losses-phishing-scam). Clearly, the bank was at fault, since it was they, not the customer, who fell for the spoof and who caused the customer to suffer financial loss. However, as in the German incident, had a process been in place to prevent the spoofer’s payload from being delivered, the phishinjg attack would not have been successful.
What is needed is a verification system that takes user judgement out of the loop, with the sender verified BEFORE the content (payload) of the email is delivered. This requires two things. First, the payload (email content and attachments) needs to be separated from the header information (email addresses of the sender and recipient) so that there is no way malicious content can get anywhere near the recipient. Second, both the company (sender) and the customer (or user) need to register that they will be communicating with each other. It only has to be done once and thereafter all emails from the company will be verified. When the user opens the email the system checks to make sure it is really the company it claims to be and then, and only then, does it deliver the payload.
The technology to do this is already available, easy to implement and inexpensive. The hurdle is getting companies to understand the extent of damage done to their companies by parties masquerading as them in email. Not only do they lose customer loyalty (and revenue) from their users who believe that they should have been protected from this, but their brand and reputation take a huge hit when word gets out. I wonder how many existing users are now turning off iCloud or how many new users will never sign up for iCloud because of the latest incident. I am not picking on Apple. It just happens the iCloud break-in brought this issue into the spotlight. This should be motivation for companies to take action. To help make the online experience safer for them, users need to demand that companies implement systems that eliminate spoofing and any company that values their customers needs to protect them from these online thugs and eliminate future “exposures”.