How are individuals affected by cyber attacks?

Anyone that’s received a dodgy looking text from a number claiming that your package needs a fee to be delivered can testify that cyber attacks of a slightly smaller magnitude are fairly frequent in day to day life. So how do these sorts of attacks work, and are they perpetrated by the same groups as larger scale incursions? Professor of Security Engineering at University College London, Steven Murdoch.

Steven - The big attacks against large publicly facing organisations are the things that make the headlines. But there's other groups who are targeting individuals, but the way that they work is quite different. There's not much point in carrying out ransomware against individuals because you might be able to extort thousands of pounds out of them, but not the same amount that you'd be able to get if you started going after massive companies with billions of turnover. So the criminals who attack individuals are often there either as a staging point to carry out attacks against companies they might be working for or they might be suppliers to, or they use it for committing fraud. Somehow a criminal will get access to their computer systems or information about them and then use that to somehow take money out of their bank account. What

Will - Is the most common way that someone might be able to assume your identity?

Steven - The current most concerning type of fraud is something called authorised push payment. So the way that this has come about is that banking security measures have got significantly better. So somehow the criminal has to convince the victim. So they need to come up with a plausible story, and often that plausible story is based on information that's collected from their computer or from other computers or from data breaches or so on. So the sorts of things that criminals might do is that if they can get into your bank account, they might not be able to steal money, but they can certainly see the transactions and then they call up the victim and say, this is your bank speaking to you, you know it's the bank because I know your last 10 transactions, so surely you should now do what I say. And then the customer will be tricked into sending their money to what they might think is a safe account, but is actually the criminal's account.

Will - That's what we would probably consider a pretty classic form of cyber attack. But as we move towards an almost entirely digital lifestyle, it does seem that we're going to see increasingly bizarre and out there forms of cyber attack. I've even heard of people being hacked through their electric toothbrushes.

Steven - Yeah, so it turned out the toothbrush hack probably wasn't true, but it's not far away from the truth. Criminals want to make money. The way they do that is because they need something that's of value to them. So a computer might have an internet connection and if they hack into that computer, they can then attack other computers and get paid for that. They might be valuable data. So the information that could be used for committing fraud. So the criminals are always looking for what is the weakest internet connected device. And that tends to be where you see the more unusual hacks. The criminals are hacking into things like air conditioning units or fish tank units, not because they care about the air conditioner or the fish tank, but because they're just normal computers and maybe the criminals don't even know that these are connected to some hardware. They just want to get on the network. Those devices are often purely maintained compared to servers or desktop computers. And once they're in, they're inside the network and it's much easier to move around.

Will - Increasingly there are some frankly rather chilling stories of facial recognition being involved in these sorts of schemes. I was wondering if you could talk us through a couple of those.

Steven - Again, computing is driven by economics and one kind of unusual issue is that cameras have become so incredibly cheap because of smartphones. So whereas before you might have some sort of dedicated sensor for identifying whether someone is standing in front of a computer or you might have sensors on doors to see whether they're open. It can actually be cheaper to build a camera and machine learning system to recognize all of these things. But that could be quite intrusive because it's recording photos and in some cases the company's promise that the photos never leave the device. They're just used for identifying what's happening and then the images themself are being thrown away. But you've got to trust the company when it comes to them cleaning that. And even if it is true now, it might not be true forever. The company could change their policies or the device you get hacked and then it's a device with a camera in a potentially sensitive organisation.

Will - And that almost gives them a secret eye on a part of the company that people would much rather they don't see.

Steven - Yes, and there's certainly been examples for good or for bad where people have acted into cameras. So there's certainly malicious uses of these and, and some quite terrible examples of where people are blackmailed based on images that have been collected from cameras that are hacked. But there's also more amusing cases like where someone has hacked into the camera that is surveilling a call centre that is used for committing scams. So they were able to see in real time the people who were calling up trying to impersonate Microsoft and yeah, the scam beaters had an amusing time being able to see what these people were wearing and then tell that back to them. And they seem quite surprised.

Will - We've talked a lot about in the show the economic impact of cyber attacks and I think that is important and I think that is also the first thing a lot of people think of when they think of a cyber attack. They think they are held to ransom large amounts of money or even the loss of personal data. But is there also almost a personal psychological side to this? Because if someone is the victim of a cyber attack, if you think their trust in digital services may drop, they might have a drop in technological confidence.

Steven - Yes, absolutely. There is quite a significant psychological cost to some of these attacks. It's not just their money that they've lost, they've also lost their autonomy. And so they are definitely traumatised even if they do get the money back. I could see the same thing if there was going to be personal data stolen, even if that personal data is never used, that is an intrusion in itself. They might be less trusting of individuals. It could harm their life, their family and their friends. It might mean that they're less likely to go out and meet people. Maybe they'll be less trusting of their bank and put their money underneath their mattress and reduce risks in some ways, but could cause them harm in other ways. It's much easier to lose something if there's no power of organisation looking after it.