All About BEC, Payment Fraud And Probabilistic Proof
TF7's George Retttas Interviews Walrus Security Founder, Michael Walfish
Among the many problems remote work during the coronavirus pandemic has created has been an uptick in business email compromises (BECs). With people no longer working in offices, they are letting their guard down when it comes to emails purporting to be from a company’s finance official instructing them to make an urgent payment, according to Michael Walfish, the founder of BEC software provider Walrus Security, and a computer science professor at NYU.
Speaking on Monday’s Task Force 7 Radio, Walfish said that when people were in the office, they “got wise to a pattern. It was suspicious if the treasury department, for example, got an email from an executive saying, "Can you wire money to this place you've never wired before? I'm not in the office, call me on my cell phone to confirm."
Now, “that’s the actual pattern,” and more people are falling for these schemes, he told George Rettas, host of Task Force 7 Radio and the president and CEO of Task Force 7 Technologies.
“So the advice to people sending money to be on the lookout for anomalies isn't as applicable, because we're living through an anomaly,’’ Walfish said. “So once the legitimate payment requests have that form, then it means that there's an opportunity for the adversary to cloak their spurious fraudulent emails as looking like one of those expected anomalies.”
What makes this work, he added, “is that the attackers are … parked in email systems monitoring communication back and forth, and then at a crucial moment, they're substituting their own payment instructions for the payment instructions of the legitimate recipient of the funds.”
People have lost their life savings sending down payments on homes to thieves who are impersonating their escrow or title company, Walfish noted.
“Title agents have actually gone under because they've redeemed proceeds on real estate to the fraudster instead of to the legitimate seller or to the bank that made the original seller the loan,’’ he said. FBI statistics show the problem is increasing exponentially, he added, going from .2 billion in 2014 to up to 12.6 billion in 2019.
Rettas asked whether the anti-phishing tools Fortune 500 companies have are effective?
While there are a number of effective countermeasures that are deployed, like two-factor authentication and anti-phishing software that attempts to flag messages that are obvious fakes, “The problem is that the attack … revolves around the cyber security not of your organization but of your counterparties,’’ Walfish replied.
If an incoming email looks legitimate, he said artificial intelligence can't detect that there is a problem. What is different is that the numbers in the account and the bank routing number have been changed, but “there's no way that people realize that this is fake.”
The best practice in this situation, Walfish said, is to make a phone call. The problem is, though, that “if you're trying to complete a transaction quickly, you're not going to pick up the phone.” So before someone issues a payment, be “absolutely sure that the person you're paying is the right one,” Walfish said.
Secure System Design And Verifiable Outsourcing
Walfish and Rettas then discussed the work Walfish has done with verifiable outsourcing, which is when one computer wants to check that another has executed something correctly.
“A common example is cloud computing where you have some program that you write, you outsource its execution to a set of computers in the cloud, you get back an answer, the result of the program that you outsourced,” Walfish explained. “Then you want to make sure that that output is actually consistent with the program that you wrote.”
This applies to other applications, like blockchain, and “untrusted hardware manufacturers” he said. “But for now, just imagine that some computer asserts that a particular output really is the output of your program on some input that you select, and you might like to check that assertion.”
A “naive way to do this” is to re-execute the input yourself, he noted. This allows someone to see if the output that your computer produces matches what those outsourced computers had returned. But this defeats the purpose of having asked the other computer in the first place, Walfish said, and it may not be possible because there may be other inputs that that other computer uses that aren't available to you.
Instead, a better idea is to have a witness or certificate that your computer could efficiently check, he said. “Then you wouldn't have to worry whether the remote computer executed correctly or not; either the witness or certificate checks out or it doesn't. And that's what verifiable outsourcing is at a high level.”
Rettas asked if these witnesses or certificates are connected to probabilistic proofs?
“Yes, absolutely,’’ Walfish replied. “These witnesses or certificates are probabilistic proofs. Of course, that raises the question, what's a probabilistic proof? It's a kind of mathematical object from theoretical computer science.” It was started back in the 1980s, he added.
While they “sound impossible when you first hear about them, they're extraordinary,’’ he said. The computer doing the checking, which is sometimes called a verifier, can actually gain assurance in such a certificate by only checking it in a handful of locations, not even checking the entire thing, he said.
Random checking is essential, he said. “If the untrusted party, the one with the burden of producing the proof doesn't know where in the proof you're going to be looking, then it can't arrange its answers to fool your questions.”
In response to a question from Rettas about what examples of real world applications of this technology, Walfish said that so far, they are in blockchain, in particular cryptocurrency, most notably Zcash.
“There are a number of other startups that are incorporating this technology, typically all related to blockchain or cryptocurrency,’’ he said.
Probabilistic proofs technology has been made “much less expensive,’’ Walfish added. With the exception of cryptocurrencies, however, he said it’s still very much a research area and the technology has not yet been commercialized. “Although we are trying to change that.”
Rettas asked Walfish what applications he envisions for the future of probabilistic proofs?
“I'd love to see it used in that untrusted hardware context,” and for private classifiers. “If you are the user of a neural network and someone just hands it to you, you might like some sort of assurance that that neural network … truly correspond to the training data,’’ he said. “There might be cases where the entity that supplies you with a neural network does not have the greatest incentive to give you something that was accurately trained.”
This would provide some assurance that the training was done in a high integrity way, he said.
Payment Fraud And Blockchain
The discussion then turned to how companies can be prudent and watch for payment fraud and how to mitigate it if they become a victim.
“You need excellent processes with no exceptions and careful documentation,’’ Walfish said. “And it's surprising how often that does not exist.” He noted that it is also “very difficult to train humans to be error free.”
In response to a question from Rettas about his take on blockchain, Walfish said he thinks the technology is being overhyped.
“I hear people thinking that blockchain is going to end the threat of nuclear war, it's going to do this, it's going to do that. It is not going to do any of those things,’’ he said. “But blockchain actually provides us something pretty cool and new, which is that in a federated way, so we don't have to trust a single entity, it provides an immutable record of what happened. That's definitely a useful construct.”
Rettas asked Walfish to discuss the most encouraging thing he’s seen in cyber security?
Walfish replied that he’s encouraged by the level of security that has been embedded into mobile devices, including two-factor authentication. Additionally, he said he’s glad to see there is more general awareness on the part of the public about fake emails.
On the flip side, he said he’s concerned about the fact that as the defenses get stronger, “the attackers are adapting. The sophistication of attacks is increasing. We're seeing things like SIM porting and SIM swapping where adversaries gain control of phone numbers.”
This is how phone calls can be compromised, Walfish said. While it’s important to have two-factor authentication, “We're seeing attacks on two-factor authentication that are quite sophisticated.”
What worries him on a larger scale, he said, is the possibility of an attack on critical infrastructure, like a power plant or water treatment plant – or even a voting system.
In response to a question from Rettas, about how safe are password managers, Walfish said they are safe – if used correctly.
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.