It’s your worst nightmare: You just bought your dream home and sent the escrow agent a wire transfer for $140,000 to make the down payment.
Now the escrow agent is on the phone. “Where’s the down payment,” she asks?
You contact your bank to confirm that the wire was sent. It was. You call the escrow agent back to read back the instructions.
“That’s not my account,” she tells you. “You need to retrieve those funds and send them to the correct account number.”
But it’s too late. Your bank can’t retrieve the funds because they’ve already been wired out of the receiving account.
That’s the nightmare Washington, D.C. homebuyers Sean Smith and Erin Wrona faced when they arrived at the offices of Federal Title & Escrow. A month earlier, they had complied with what they thought was a routine request to send the escrow company $1.57 million before closing on a new home. But when they walked into the company office to sign the closing documents, they learned the money had never arrived.
Hackers had managed to take over the title company’s servers and redirect emails sent to it. Then they sent Smith bogus emails instructing the couple to send the money to an account they controlled. When Smith did so, the money disappeared. He has yet to get it back, as both his bank and Federal Title disclaim any responsibility for the loss.
Welcome to Hacker World, where malicious web-savvy thieves can steal almost any asset, file false tax refund claims, manipulate electronic controls, and shut down an entire country’s power grid:
-
In 2016, hackers installed software designed to compromise security on the computers used by the Bangladesh Central Bank (BCB). The software unlocked the information needed to authorize transfers through SWIFT, the global network that enables banks to transfer funds worldwide.) The hackers impersonated the BCB and sent a series of messages to the Federal Reserve authorizing the transfer of $1 billion from the BCB’s account in New York to accounts in the Philippines and Sri Lanka. Over $80 million was sent to the hackers before security personnel at the Fed discovered the scam.
-
In 2015 and 2016, lax security measures at the “Get Transcript” page on the IRS website gave hackers the opportunity to retrieve hundreds of thousands of tax return transcripts. This is a digital file showing most line items on your current tax return and up to three years of past returns. With this data, hackers were able to file more than 700,000 fraudulent tax returns claiming refunds averaging about $3,000 per return.
-
Hackers can weaponize internet-connected devices such as cameras, DVR players, and programmable thermostats. In 2016, hackers took over more than 100,000 unsecured “internet of things” (IoT) devices to launch a massive “denial of service” attack against some of the world’s largest websites. Forecasting firm Gardner research estimates that by 2020, more than 20 billion IoT devices will be deployed.
-
Hackers shut down the entire power grid of Ukraine for several hours in 2015, possibly in a rehearsal for larger attacks. One target could be the US. Security firm Symantec reports that hackers have already successfully infiltrated the control systems of power plants and other critical US infrastructure and could induce blackouts at will.
-
In 2015, Chrysler recalled 1.4 million vehicles after researchers hacked a Jeep, disabling its brakes and transmission. Since then, researchers have discovered a fundamental flaw in electronic control systems that could allow hackers to take over and disable control and safety features in virtually any modern vehicle.
-
Hackers have discovered vulnerabilities in internet-connected medical devices, ranging from insulin pumps to machines that monitor patients’ vital signs during surgery. When I had surgery a few months ago, one of my last thoughts before the anesthesia kicked in was, “What happens if a hacker disables the control mechanism on the machine dispensing anesthesia.” Fortunately, that didn’t happen – or I’d be dead.
-
In January of this year, researchers discovered major security vulnerabilities in the microprocessors that operate almost every computer made in the last two decades. The vulnerabilities make it possible for a hacker who has gained access to one system on a computer or smartphone to use that access to steal data from any other system on that device. The only solution is to replace every one of these devices – which will take decades to happen.
And if you become a victim of these hacks, you’ll likely discover any loss or inconvenience you suffer is yours alone to bear.
And it will only get worse, for several reasons. The world’s dependence on the internet is continuously growing. At the same time, it’s frighteningly easy to become a hacker. When I searched online for the phrase “hacker toolkit free download,” I came up with 24,200,000 hits. In one case, a seven-year-old boy broke into a Wi-Fi hotspot within minutes of watching an online video tutorial.
And don’t count on the government to help you if you or your company become the next hacker victim. When reporters interviewed nearly 80 victims of an alleged Russian attack against their Gmail accounts, they were shocked to discover that only two of them had been warned by the FBI that their email addresses had been compromised.
Even after the massive attack against Equifax last year, when hackers stole at least 147 million credit files, the Feds have done virtually nothing to deal with it. Indeed, shortly after the hack was disclosed, the IRS awarded a $7 million contract to Equifax to protect the agency from fraud. That’s a little like Hansel and Gretel paying the witch who planned to eat them a fee for advice on how to avoid cannibalism.
But the biggest reason things will get worse before they get better is that there is no real constituency for internet security. Be honest: the last time you purchased a digital camera, a programmable thermostat, or a smart television, how much time did you spend thinking about how secure it was? If you’re like most consumers, the answer is probably no time at all.
Manufacturers of smart devices know this. They understand that consumers, above all, value low-cost, high-capability devices. Many if not most of these devices can’t even be upgraded with better security. Yet most of us keep them for many years. When was the last time you performed a security upgrade for your home thermostat?
Yes, secure programmable devices are available, but they are more expensive than their insecure counterparts – and thus not nearly as popular. Meanwhile, the vulnerabilities are so profound that a single large attack can affect millions of people. Yet, until consumers refuse to purchase insecure devices – or until they’re regulated out of existence – hacker attacks will proliferate.
There’s little individuals can do to avoid the enormous infrastructure attacks hackers have demonstrated are possible, other than moving into an off-the-grid home. But you can avoid targeted attacks, and just as important, not become part of the problem.
For instance, keep your anti-virus software up-to-date. Don’t click on strange links in emails. Encrypt your data and email. Use a virtual private network (VPN) to prevent hackers from stealing passwords. Before you transfer large sums of money, be absolutely certain you’re sending it to the right place.
Above all, unplug. Do you really need an internet-connected refrigerator? Smart light bulbs? Or smart sex toys? Until manufacturers of smart devices start taking security seriously, avoid them as much as you can.
