To cyber fraud expert Michelle Price, the question for any Australian organisation with a web presence is not if they will experience a malicious attack – but when.
The CEO of the not-for-profit body AustCyber, Price warns most local entities – especially small businesses – are oblivious to the extent of website incursions by algorithmic-based robotic software programs, known as “bots” or “botnets”.
Many likely have no idea what they are, let alone how to stop them.
“They are not so much losing the war against malicious bots, they are not engaged in the battle,” Price says.
Globally, the use of bots has enabled criminals to access sensitive customer and other data, which can be sold on the dark web to other fraudsters. Alternatively, bots can be deployed for a “denial of service” attack, aimed not so much at defrauding but disrupting an organisation’s normal service levels.
Frustratingly, the source and nature of bot incursions is constantly evolving. “The worst kinds of attacks are the ones you don’t see coming,” says Peter Robinson, chief security officer with “buy now, pay later” fintech Zip Co.
Offshore, companies including Instagram, Facebook, Cathay Pacific and the credit ratings house Experian have all been hard hit by data breaches – both in dollar and reputation terms. Locally, Landmark White, a property valuer, suffered a recent “cyber incident” that they estimate will cost them at least $5-6 million.
And judging from a new report by cyber security consultancy Kasada, Landmark White is unlikely to be alone.
After testing the security of 250 leading Australian websites, Kasada’s hair-raising finding was that 90 per cent of the sites could not distinguish between a real customer interaction and a bot.
“This leaves bots free to persist unassailed, eating up bandwidth, spiking server costs and slowing down sites,” says Kasada in its report, Bots Down Under.
The company also found that 90 percent of “credential abuse attacks” came from Australian-based internet networks, debunking the theory of “Island Australia”. “It is no longer sound strategy to geo-block overseas traffic and assume local traffic is legitimate.”
The dangers are reflected in official data published following the introduction of mandatory data breach reporting laws last year. Under these laws, organisations that are subject to the Privacy Act must inform individuals if a data breach they have suffered is “likely to result in serious harm” to those individuals.
While not specifically referring to bots, the Office of the Australian Information Commissioner found individuals were notified of 964 data breaches between April 1, 2018 and March 31, 2019, the first 12 months’ operation of the new laws.
Of these cases, 60 per cent were traced back to malicious or criminal attacks. Phishing (users being tricked into revealing their passwords) was the leading cause of breaches, accounting for 153. Human error also resulted in 97 breaches, from emails being sent to the wrong recipient.
“The assessment that many web sites are vulnerable to bot attacks is accurate and this is not just restricted to small and medium sized business, either,” says John Heard, chief technology officer for the parking technology company Smart Parking.
He warns that many businesses are expanding the “pathways of interaction” from their websites to their target market, which increases the “attack surface” that attackers can exploit.
Heard says that most SMEs do not have the ability to retain the specialist skills or maintain investment in risk mitigation measures.
“The reality is that the majority of ‘self constructed’ and ‘self hosted’ websites are in a high risk category for bot and other exploitation.”
While the risks of attacks and other forms of exploitation are real, fortunately there are plenty of ways organisations can try and mitigate these, ranging from preventing users from re-using passwords and actively monitoring failed log in requests and account re-sets, to ensuring firewall protection is turned on. Similarly, implementing regular “patches” sent by software companies to fix new vulnerabilities is key.
“Patching should be part of a chief information officer’s daily business because crooks are exploiting loopholes,” says detective superintendent Matt Craft, the head of the NSW Police’s cybercrime unit. “Patches are created but companies are failing to take the appropriate measures to get their software updated.”
Sam Crowther, the founder of Kasada, which this month raised a fresh $6.5m from venture capital funds including Reinventure, says that as cyber criminals increasingly deploy automation, legitimate companies should respond with such, pointing to the company’s bot detection and mitigation software tool, Polyform.
“Kasada Polyform secures millions of e-commerce and other internet transactions every day,” he says. “It shifts the power from the adversary to the enterprise by making attacks computationally more expensive for attackers and therefore disrupting their business model.”
The founder and CEO of medical imaging company Pro Medicus, Dr Sam Hupert, adds that the security landscape is changing as more companies outsource data storage to software-as-a-service “cloud” providers.
“Increasingly, parties like Google and Microsoft argue they have hundreds of experts in cyber security and a younger, more cloud-oriented group of CIOs are saying they are right,” Dr Hupert says. “They think that because the (cloud providers) guarantee the security side, maybe that’s better than doing it themselves.”
In theory, too many security measures are never enough in the ongoing battle of the bots.
In reality, organisations need to balance their precautions relative to the risks and the customer inconvenience caused (they may be locked out of their account after each and every suspected attack).
“If you are a financial services company holding a large quantity of financial information you should be far more attentive to cyber security matters than an outward-facing sales business,” NSW Police’s Craft says. “Businesses holding personal identification information should be particularly attentive.”
To protect its 1.4 million customers, fintech Raiz ensures that users are blocked for 30 minutes after four password attempts. Formerly known as Acorns, the savings app innovator also deploys multifactor identification, by which users must enter a verification code if an unknown device is trying to log in.
“IP (internet) addresses are also blacklisted when there have been multiple attempts to log in from the same address,” Raiz CEO George Lucas says. “It’s an issue we take extremely seriously.”
Or put simplistically for a complex issue, Raiz works on the principle that as with a burglar, a cyber miscreant will move on to the less secure “house” down the road if the task is made too hard.
“Once they know you are aware of their activity and realise they are going to be spending too much time trying to attack you, many give up,” Lucas says. “They have limited resources and quickly work out it’s not worth their time.”
Westpac has committed $150m to Reinventure. The views expressed are those of the author and do not necessarily reflect those of the Westpac Group.