Sharing Information: Balancing Security and Convenience

Lawyers and title insurance agents send and receive correspondence electronically nearly every day. The level of security must correspond to the sensitivity of the information being sent. Generally speaking, security and convenience have a diametrically opposite relationship, like opposite ends of a seesaw. The higher one is, the lower the other. The challenge, and everyone’s ethical responsibility, is to balance the proper amount of security and convenience. This post briefly examines some common ways of sending information and the level of security associated with each.

Level 1:

For a cyber criminal intercepting several thousand emails daily, the subject line of an email is easy scan for keywords that show it as worth a second look. Programs are used to look for words and phrases that indicate the message has personal or financial information. Words and phrases such as “payment”, “wire”, “payment instructions”, and “bank information” should never appear in the subject line. More importantly, none of the information should ever be written in the subject line. 

Level 2:

The body of an email is easy to read. Any information in the body of an email that is intercepted or received at the wrong address can be read. The body of an email should not contain any sensitive information. The body of an email refers to anything that can be seen in the email without opening an attachment. 

Level 3:

An attachment within an email will be intercepted with the email. A level of security can be added by encrypting the attachment. Encryption is a way of scrambling data being sent out so it becomes a coded message. The recipient of the message then needs the code to un-scramble and read the message. This disrupts the process by requiring a cyber criminal to un-scramble the data. For example, the German enigma machine sent coded messages that could only be read if the recipient also had an enigma machine set to the proper setting. Like the enigma code, all encryption can be decoded with enough work, but having the code at the other end makes it an easy and a practical method of sending messages. While encryption does add an additional level of security, it is not a high level. Many people with the technology to intercept an email sent over WiFi also have the technology to un-scramble encrypted data.

Level 4:

A link to a secure, shared file is the most secure of the common methods of delivery. In this method a file is shared on a cloud service such as Dropbox. The originator stores the information in a file, creates a password, and determines who will have access to the file. The only information that is sent is the location of the data and the access password. The data is never sent to the recipient. The weakest link in this method is the password. All normal password complexity rules apply. In addition, the storage location and password should never be sent in the same message. To be more secure, they should be sent by different methods, such as the link to the file by email and the password by telephone. 

Six Reasons Lawyers Should Store Data In The Cloud

Lawyers are traditionally slow to adapt to new technology.  Right now one of the biggest innovations in technology is the mass use of cloud storage.  In layman’s terms, cloud storage is a giant online data warehouse[1] or a virtual hard drive.  Data that is stored in the cloud is not in a physical location under the control of the user.  The users program interacts with the data warehouse to access the information. 

Cloud storage can be difficult to grasp for some people because it is not a tangible object that can be held.  People are often worried that they won’t be able to find what they need or their information will disappear.  Below are six advantages to using the cloud for data storage.   

(1)       Convenience

Data that is stored in the cloud is accessible anywhere with internet access.  This may be at the user’s home, office, a coffee shop, the airport, or countless other places.  A user does not have to carry around a device (or devices) to access information.  The internet, and thus the information stored in the cloud, is available anywhere with WiFi or cellular service. 

A user with information stored in the cloud will have access to literally all of the information they have stored, regardless of size.  One of the main benefits of the cloud storage is that it’s scalable.  The amount of cloud storage available is unlimited and can be increased to accommodate the changing needs of a company as it grows.  A person with hard copies of information is limited to the amount of paper they can carry.  A user with information stored on a device is limited to the size of the storage on the device.  For example, a user with a flash drive is limited to the capacity of the flash drive, which may be the equivalent of a dozen boxes of information.  One drawback to using a device such as a USB stick is that the user needs to decide before traveling what information they will need and move a copy to the USB stick.  If some data is forgotten or something unexpected is needed, once the user is traveling, that information is inaccessble.  A user with information stored in the cloud does not have to deal with these limitations. 

(2)       Cost

Users pay only for the amount of storage space they need.  The capacity grows only as the user's storage needs grow.  This is a major advantage for a small law firm.  With local (non-cloud) storage, a user must buy large capacity storage devices up front even if they don’t need all the space.  With cloud storage, the user only pays for what they use, and it grows and shrinks according to their changing needs. 

(3)       Safety

Data that is stored in the cloud cannot be lost by losing a device.  Any data that is stored on a device is lost when the device is lost.  A USB stick (a.k.a. “flash drive”) can be lost[2].  Laptops are stolen.  Often a user’s solution is to save multiple copies of the information on different devices.  For example, a user may save one copy on the laptop and another copy on a USB stick.  The problem is that this often causes confusion when copies are edited separately and different versions of the same work product have been saved.  This method also doubles the chance that a device with the information is lost.

Anyone keeping personal information on a USB stick, such as a lawyer working on a real estate transaction, must be aware that a lost USB drive or laptop is a data breach.  Files for real estate transactions contain personal information, the loss of which constitutes a data breach.  Most data breaches are the result of lost paper files or a lost device[3].  Many states have laws regarding the loss of confidential information.  In Massachusetts, for example, a data breach has occurred when the owner of the data has lost control of the data, not when it is used.  When a party has a data breach 201 C.M.R. 17.00 requires, among other things, notification to Office of Consumer Affairs and Business Regulation and the Attorney General’s Office. 

(4)       Transmitting information

A link to a secure, shared file is the most secure of the three common methods of sharing information.  The majority of information is sent typed into the body of an email, as an attachment in an email, or a link to a shared file.  Often, email exchanges are plain text, open and readable by anyone snooping on the network (e.g. public WiFi).  Cloud storage providers transmit file data in encrypted form, which is not easily intercepted and difficult to decrypt without the encryption key, which is not transmitted.  Dropbox, for example (https://www.dropbox.com/security), uses a multi-layered approach to security that involves passwords, data encryption, and file storage encryption within their own data center. 

To share information using a cloud storage provider, a storage location is set up in the cloud by a user.  The user determines who has access to the location and creates an access password.  In this sharing method, the data is never sent to the recipient.  The only information that is sent is the location of the data and the access password.  The weak link in this method is the password.  All normal password complexity rules apply[4].

Another common problem with sending information directly is the file size.  Many times large files take too long to transmit or end up in the "junk mail" folder of the recipient.  In these cases, often the recipient will never see the file.  This is not a problem when the information is stored in the cloud because the only information being sent is the location and access code to retrieve the information.

(5)       Ransomware

The principle of ransomware is that the cyber criminal locks up data and ransoms it back to the owner.  One way to negate the effect of ransomware, and eliminate the need to pay the ransom, is too have a multi-faceted back-up strategy and to store information to more than one location.  Ransomware affects your computer’s operating system.  The cloud is not part of your computer’s operating system.  Data that is stored in the cloud cannot be locked up by a ransomware attach against your operating system. 

A back up of all of your computers and mobile devices regularly to cloud-based backup services and/or external hard drives, with snapshots kept off site is an excellent way to avoid the possibility of ransomware crippling your business.  A user that has some local files (e.g. on their laptop hard drive) locked up by ransomware will be able to restore locked files from backups in the cloud without needing to pay a ransom.

(6)       You’re Probably Already Using Cloud Storage

At this point it is difficult to imagine that any practicing lawyer hasn’t been sent a link to files stored in the cloud.  You may not have set it up, but you have accessed information stored in the cloud.

[1] For a more technical definition see:  https://www.techopedia.com/definition/26535/cloud-storage “Cloud storage works through data center virtualization, providing end users and applications with a virtual storage architecture that is scalable according to application requirements.  In general, cloud storage operates through a web-based API that is remotely implemented through its interaction with the client application's in-house cloud storage infrastructure for input/output (I/O) and read/write (R/W) operations.

When delivered through a public service provider, cloud storage is known as utility storage. Private cloud storage provides the same scalability, flexibility and storage mechanism with restricted or non-public access.”

[2] See e.g.  http://www.cnn.com/2017/10/29/europe/heathrow-airport-security-usb-stick/index.html

[3] Approximately 65% of data breaches reported are the result of lost paper files and devices like laptop computers and USB sticks.  See e.g. http://www.crn.com/news/security/240164674/lost-flash-drive-at-core-of-kaiser-permanente-data-breach.htm

[4] e.g. don’t use 1234, qwert, the docket number, or file number as a password.  Obviously, the storage location and password should never be sent in the same email.  To be even more secure, they should be sent by different methods, such as the link by email and the password by telephone.

The Danger of Using Unsupported Software

We have all seen the headline "Company X will no longer support ABC software as of (insert date)," but do you know what it means?

When software companies release new versions of software, the old version is not shut down.  A period exists when the old version is still available for sale, and performance and security features are updated.  The typical first step in phasing out an old version is to reduce and eliminate the marketing.  During this period, the focus is on selling the new version of the product while still supporting the old version with performance and security updates.  In the second phase, the old version is no longer for sale but is still being supported with performance and security updates.  In the final phase, the company stops supporting the old version completely.  At this time, we see the news release "Company X will no longer support ABC software as of (insert date)."  On that date, the company stops adding performance and security updates. 

For example, Microsoft released Windows 1.0 in November 1985 and Windows 10 in July 2015.  In between, Microsoft released dozens of products.  For example, Windows XP was released in October 2001 and supported until July 2014.  Windows XP has not been updated since July 2014.  In short, no features or security patches have been added since July 2014. 

When software is released, the company continues to work to improve the product.  At the same time, cybercriminals work to find ways past security to install malware and to steal information or money.  When a security breach is identified, the company works to identify the weakness and increase the security to prevent similar intrusions.  The company will send a message to users to update the software as soon as security improvements are ready.  When a company has product and security improvements ready a message is sent to users to update the software.  The longer it takes for the company to identify a problem and create a new firewall, the longer users are at risk. 

Many malware and ransomware attacks target older versions of software with known security weaknesses.  Two situations where old software with security weaknesses exist are (1) users that have not installed an available update and (2) unsupported software.  In the first instance, the user can simply install the update – hopefully before anything bad happens.  In the second case, no security update is available nor will any become available.  In the example above, security weaknesses that have been identified since July 2014 will never be fixed.

The weaknesses in unsupported software will be left to be exploited indefinitely by cybercriminals.  Keep all of your apps up to date and don’t use unsupported software. 

Timeline of a Transaction Gone Wrong: The Last Minute Change in Payment Instructions

This is a supplement to an earlier post about this scam.  Look at the steps involved in a typical transaction and think about where you can step in to slow down the process and prevent funds from being sent to a criminal.  
 

Standard business procedures

The lawyer* (title insurance agent) has an assistant that helps with real estate transactions

  • —The role of the assistant is to prepare documents and payments for the transaction
  • —The lawyer reviews the assistant’s work prior to the transaction
  • —*Lawyer and title insurance agent are the same person in this example

Pre-transaction: The parties prepare          

—The lawyer and the real estate broker often have a history of handling transactions together

—The transaction paperwork is all prepared in advance

—Account numbers for the wire transactions are all exchanged as part of the closing documents

—Instructions to wire the payoff funds and sellers proceeds are all set up a few days before the closing

Pre-Transaction:  The criminals prepare

—A cyber criminal has been monitoring the emails exchanged between the lawyer and broker

—A legitimate looking email is sent to the lawyer or, more commonly, the lawyer’s assistant 

—The email contains new wire instructions 

  • —Believability and timing are the two keys to the scam
  • The email has an address that looks legitimate
  • The email has a legitimate reason for the change in wire instructions
  • The email arrives at a time of chaos or urgency when the recipient is less likely to fully scrutinize the message

The scam

The wire instructions are changed according to the new “corrected” instructions

The closing takes place and the funds are wired to the new “corrected” account number

—The funds are received in the criminals account and are immediately withdrawn

The criminal's account is closed

Post Transaction:  Stage 1

Days go by and the lawyer has no idea a cyber criminal has stolen a few hundred thousand dollars

A few days after the closing the lawyer receives a call from the mortgage company or seller complaining that they haven’t received their funds

  • The lawyer assures the caller that everything is fine and offers to look into the problem and call back once the “mistake” is corrected at the bank

Post Transaction:  Stage 2

The lawyer is told by the bank that the funds have been wired out

The lawyer confirms the amount and account number

—Research is then done and (at some point) the lawyer realizes that the funds have been stolen

—The lawyer then calls the mortgage company or seller and explains the problem / situation / fraud

  • It is recommended that the lawyer also call the FBI and report the crime

Post Transaction:  Stage 3

—The lawyer calls the insurance company to submit a claim for the funds that have been stolen

—The insurance company then informs the lawyer that the loss is NOT covered by insurance

  • —The funds have been sent to the account intentionally designated by an authorized party at the lawyer’s firm
  • —The lawyer did not have proper cyber security in place (e.g. outdated firewalls)
  • —This is not an act of negligence
  • —This is a ministerial task, not the practice of law

Post Transaction:  Stage 4

—The lawyer needs to pay the stolen funds, possibly a few hundred thousand dollars, OUT OF POCKET

—Prevention

—Treat any change in wire instructions with extreme skepticism. 

—The level of due diligence should be the same as a transaction that you are personally spending a few hundred thousand dollars on

—If the instructions are fake and you (or your authorized representative) give the instructions to wire the funds – you may be spending a few hundred thousand dollars

—Avoid using words and phrases such as “wire instructions” and “payment instructions” in the subject line of an email

Prevention

—Once the payment instructions have been received, NO changes should be made without extreme due diligence

—Whenever an email is received, take the time to verify the email is legitimate 

  • Scrutinize the sender – is this the exact email address of the person you have been dealing with?
  • If you respond to the sender, do not hit reply.  Hit "forward" and use the email address you have in your directory for the other party
  • Pick up the phone, call your contact at the other company, and speak only with your direct contact
  • Scammers are sophisticated enough to call your office to verify the new instructions sent in the email
  • You need to dial the phone and make the call to the number you have in your records for the other party

Holiday Shopping: Don't Add Malware To Your Cart

Black Friday will be here soon to start the holiday shopping season. This is one of the busiest online shopping periods of the year. Specials are announced daily, many require immediate action, and all have short expiration dates. Black Friday and the holiday shopping season is subsequently the busiest period of the year for installing malware.

Ninety percent of all malware requires human interaction to be installed. That means a human needs to open an attachment, click on a link, or otherwise activate the installation. Cybercriminals use three popular techniques to trick people into downloading malware: (1) malvertising, (2) phishing, and (3) spear phishing. Cybercriminals take advantage of the online chaos of the holiday shopping season to launch more attacks and install malware on unsuspecting targets.

"Malvertising" is meant to look like a legitimate advertisement on a legitimate website. Malvertisements are designed to get the viewers attention and encourage a viewer to click. Cybercriminals use the same advertising techniques as legitimate companies to grab your attention. The difference is that once a user clicks on the ad, the malvertisement will download malware, distribute a virus, or send the user to an infected website to capture personal information or run some other malicious program.

In some cases, a cybercriminal will “scrape” a legitimate ad or company logo (i.e. copy the ad and paste it onto their website) in order to look exactly like a legitimate ad. The target’s personal information will be sent directly to the cybercriminal once the information is entered into the website. If the target clicks on a link they are directed to a website run by the cybercriminal.

"Phishing" involves sending an email to as many people as possible, hoping to lure a victim to click on a link. Phishing relies on sheer volume and the recipient’s carelessness. Successful phishing attacks increase during the holiday season simply due to the volume and overall rush of the holiday season.

"Spear phishing" targets a specific victim by personalizing an email to make it appear legitimate. As a result, a spear phishing attack requires some level of preparation to get to know the target. A sophisticated cybercriminal will take the time to carefully understand their target. Some gather information from social media, while others use information obtained from a prior victim.

The keys to a successful malvertising, phishing, or spear phishing attack are believability and timing. Attacks are launched at a time of urgency, hoping to take advantage of some chaos, which leads to a hurried decision or a failure to identify an attack. This is exactly the atmosphere of the holiday shopping period. During this time, consumers are bombarded with ads and email specials that offer great deals but require immediate action and expire quickly.

Malvertising is more successful during the holidays because most ads require the target to act in order to activate a deal. Consumers are required to sign up for notices, create an account, or follow a link. This activity does not raise suspicion because most shoppers, when they click on an ad, expect to be required to act or be redirected to another website. 

Spear phishing works best when the email looks as if it comes from a familiar source. A successful spear phishing attack is disguised as an email coming from a known source such as a person or a company where the target has previously shopped.  A target is far more likely to click on an email from a known source than an unknown source. For this reason, familiarity with a target’s background, such as family status, shopping history, and hobbies, is key.  A cybercriminal with this type of knowledge will help the cybercriminal craft a message that will grab the target’s attention and move them to act quickly. For example, a frequently used tactic is to craft a message advertising the sale of an item that the target recently viewed online. The offer must spark the target’s interest and grab their attention or the target will ignore the email or link.

Nothing can guarantee that you won't install malware this holiday season. However, some steps can be taken to help protect against installing malware.  The main thing is to slow down and remain vigilant.  A good first step is to update all of your system software and anti-virus software before shopping.  While you are shopping look out for:

·      ads that don't look like they were designed by a professional;

·      spelling errors;

·      promises or deals that are too good to be true;

·      ads that don't match your shopping habits or typical search history;

·      a website you frequently shop at that asks for information to establish an account.

If you see an ad for a great deal from a company, instead of clicking on the ad or a link in an email, go directly to the company website and look for the same special offer.   

 

(Sign up for our cyber security blog at the bottom of the page.)

Balancing Security and Convenience

Generally speaking, security and convenience have a diametrically opposite relationship like opposite ends of a seesaw.  The higher one is, the lower the other.  Everyone would like an unlimited amount of both, but the relationship makes this impossible.  The challenge, and everyone’s ethical responsibility, is to find the balance that gives the proper amount of security with the corresponding amount of convenience.  The simple answer is to make security the highest priority.  The business answer is to make things convenient and efficient.  Thus the challenge, if you emphasize security so much that basic communication becomes a hassle, nothing will get done or worse, people will find a way to bypass the security measures altogether.

In simple terms, if you are sending an email about a tee time, you do not need to worry about security.  Feel free to use unsecured, free WiFi at a coffee shop and identify the contents in the subject line.  If you are preparing for a real estate transaction and sending pre-closing documents with other people's information security needs to be the highest priority.  Follow the advice of your title insurance company.  For starters, do not ever use unsecured WiFi and do not ever identify the contents in the subject line.

The FBI Internet Crime Complaint Center (IC3) received complaints that totalled $1.3 billion in losses in 2016.  Before you send information electronically, think about the information and make sure you are using an appropriate level of security.  Security is everyone's responsibility.  

A Few Thoughts for Cyber Security Awareness Month

A few thoughts at the end of cyber security awareness month:

(1) Check with your insurance carrier about a policy for cyber fraud.  Many times a standard malpractice policy will not cover a loss from a cyber fraud scam.  Some reasons that coverage may be declined in a standard policy are: (a) wiring funds is a ministerial task; (b) wiring funds is not the practice of law; (c) it is not an act of negligence if you (or your employee) intentionally submit the wiring instructions; and (d) the lawyer did not have proper cyber security in place (e.g. outdated firewalls).  

(2) A little paranoia is healthy.  Humans are the weakest link in cyber security.

(3) Complex passwords, changed regularly, is a necessity, not an inconvenience.

(4) If you are a title insurance agent, check with your title insurance company for guidelines.  All major companies have been dealing with cyber fraud.  All major companies have procedures in place intended to prevent common errors and training events to raise awareness.

(5) Do not EVER click on a link unless you're positive that it's safe.  Most malware and ransomware is downloaded by the user.

(6) Check back here weekly for cyber security updates, tips, and reminders.  

(7) At the bottom of this blog post is a link to the FBI website.  Check in periodically for information on current scams.  You can also follow the FBI on Twitter.

 

 

 

 

 

 

 

Scam Details

One popular scam that has been occurring frequently involves a last minute change in wiring instructions.  The scam works, with some variations, in the following manner: as parties prepare for a real estate transaction, one party receives an email with a last minute change to the wiring instructions.  The victim receives the instructions and then wires the funds to the cyber criminal’s account.  Once the funds are received, the funds are withdrawn and the account is closed. 

There are two simple steps to help prevent becoming a victim to such a scam: (1) advance communication and (2) verbal verification.  Advance communication raises awareness and helps prevent a party from sending the funds to a cyber criminal.  Make sure that all the parties that you are dealing with AND your bank know that you will NEVER send a change in wiring instructions via email.  Verbal verification helps prevent a party intending to send funds from actually sending the funds to a cyber criminal by verifying the legitimacy of any requested changes to the original wiring instructions.  Make sure that all parties you are dealing with, including the bank, the lender, and the clients, know that they must speak to you directly and they must receive verbal confirmation of wiring instructions.  Conversely, if you receive changes to wire instructions, YOU must call the sender and speak to your contact to verify any changes in the wiring instructions.  

Top Targets for Ransomware Attacks

In general, the top targets for ransomware are users with a lot of money and / or information, limited IT infrastructure and limited controls. The potential benefit to a cyber criminal is the amount of money and information available.  For these reasons, lawyers and title insurance agents are some of the top targets for ransomware.

One way that lawyers and title insurance agents make themselves known to cyber criminals is by using email addresses that contain a word such as law, attorney, title, and so on. For example, email addresses such as Smithlaw@xyz.com, AttorneySmith@xyz.com, Smithlegal@xyz.com, and SmithTitleLLC@xyz.com make it easy to identify as a lawyer or title insurance agent.  Once a cyber criminal knows a lawyer or title insurance agent uses the account, the account becomes a target.