Cybercrime is rising, but there are simple things consumers can do to protect themselves against it. OC Magazine spoke to Canadian cybersecurity training expert Steve Waterhouse, CEO of INFOSECSW, about the latest developments in cybersecurity and what Canada is doing to fight cybercrime.
What’s the biggest cybersecurity threat consumers face today?
The biggest issue is right now is ransomware, software designed to publish companies’ data or block access to it unless a ransom is paid. Ransomware is increasingly being used to steal data from small- and medium-sized businesses. But online fraud in general is increasing. In Quebec, the story of Groupe Desjardins –[a data breach in 2019 that affected 4.2 million customers – really woke people up to identity fraud. Consumers know they don’t have any control over it. I see people now starting to make tallies of the personal information they are giving away. They are astonished to see how much they have provided without asking questions, without protecting themselves.
What can consumers do to protect themselves?
Consumers need to start by reviewing how they use technology. You can reduce the amount of information you provide to big entities like Facebook by being more conscious of how you communicate online and what applications you use. The first thing you should do is switch to anonymized search engines, like duckduckgo.com. That way you can get answers to what you are searching for without supplying information about yourself. I recommend Startpage.com, a search engine from the Netherlands that strips all your identity from your question before it submits the questions to Google. When you use Startpage, Google doesn’t know where you are, so it supplies a neutral response to your questions that is actually more aligned with what information you are seeking. For communicating online, I recommend avoiding WhatsApp or Messenger, which are part of Facebook. When it comes to gathering information about users, they are the hungriest applications out there. You should use a privacy-oriented chat app instead, like Signal. Unlike in Messenger, the message in Signal is encrypted and not bound with your identity. I never use Facebook on my smart phone or tablet because it has access to so much information about where and when I use it. When you use FaceTime on a computer, it doesn’t get as much information about your activities. Likewise, dating applications get more access to your information if you use them on your portable device than on a computer.
So basically, consumers have to change their habits?
Yes. Using email is another example. Email is not protected or encrypted. If you exchange information of a sensitive nature, you should use other types of messaging applications, like iMessage or Signal [recipients must be using the same applications]. If you want to talk with a friend about a problem with your spouse and you want to keep it as confidential as possible, you will be much better protected with iMessage. It’s more secure than Facebook because Apple guarantees end-to-end encryption. This has been verified by many sources.
What is actually happening to people whose personal information is stolen?
People halfway across the world are using personal information stolen from Canadians to access services, whether it’s buying a plane ticket or cell service. Passport trafficking is also happening at a higher rate than ever because so many people want to come to Canada. If a person who uses your stolen passport identity succeeds in getting into Canada, well, guess where the invoices for their purchases go? To your address! When that happens, you may have to prove you didn’t make the purchases.
And consumers should also worry about who’s using their personal information?
Yes. Lots of companies, particularly insurance companies, are interested in getting information about your habits. They obtain this through data brokers who get their hands on information about you through your social media. Rewards programs like Air Miles accumulate information about your buying habits and then sell it on the market. It doesn’t matter whether the information has your name on it or not. It’s easy for companies to bring back anonymized data and a complete profile of a specific person. In the near future, insurance companies and companies in the medical field will get access to your life habits. So for example, if your social media app tracks everywhere you go, insurance companies might be able to see how often you go out during the day. An insurer may even use this data to refuse an insurance claim as a false declaration. This may influence whether or not you get access to certain services. The government is also interested in knowing more about you. For example, police forces can scan social media to see whether you were present at a specific gathering. They can do this because the information is publicly available! The more people are leaving information about themselves online, the more organizations will go and get that information because it is publicly available.
What percentage of businesses are actively working to prevent hacking and identity fraud?
I’ve seen a real uptick in requests for fraud tests from businesses in the last year. But on the whole, very few companies are taking action either to prevent or report cyber incidents. This is problematic because cyber criminals look for easy targets – they usually don’t even know what kind of businesses they are ransoming! But the techniques they use are constantly evolving. Unfortunately, a typical business owner is not very tech savvy and businesses aren’t as well educated about cybercrime as we expect them to be. Most are barely keeping up with the evolution of cybercrime. The first thing I tell businesses is to do a threat risk assessment to evaluate how vulnerable they are. After the threat assessment, they can put some practices in place. Businesses usually discover that many cyber protection measures are not much more complicated than fire hazard protection measures like deciding where to put emergency exits and smoke detectors.
You have said Canada is 10 to 15 years behind other countries in being able to fight cybercrime. Where did we fall behind?
To understand the situation in Canada you have to look at the cybersecurity problem globally. The RCMP is the main police in all provinces except Ontario and Quebec and they have finite resources to perform all their duties. Cybercrimes have been rising steadily over the last year, so the government has to invest more to deal with them. Police services across the country are way behind in terms of the human resources and technical capacity they need to keep up with cybercrime. Investigations are very time-consuming and require people who are competent in forensics. That raises costs but the budget is just not there. In addition, police don’t have enough specialists to help in these investigations. Or they do, but can’t use them because of budget restrictions. I have a friend, a police officer who did a digital forensics investigation course, followed by a year internship with the Sûreté du Québec, but when he returned to his base, his supervisor told him they were short of patrollers, so he would have had to go back to a patrol car. It’s not a problem that just popped up last week. It’s been a problem for the last 10 or 15 years.
Canada just created a new National Cybercrime Coordination Unit (NC3) that is supposed to be up and fully operational in 2024. How is this going to help consumers?
Coordinating services between police forces across the country will help a lot. NC3 is primarily a national coordination effort. Let’s say you are a police service tracking someone on the Dark Net. You have all the information you need to find them. Then you realize you are talking to two other police forces doing a similar investigation and you discover that they are looking for the same thing. Before NC3, you would have had three police forces doing the same job, each in their silo, none sharing information. NC3 will allow these different police services to coordinate their efforts so they won’t be using resources separately to do the same investigation. So let’s say Sudbury is looking at a cybercrime and it turns out that Halifax has investigators looking into a situation that has the same look and feel. Meanwhile, in Montreal they figure out something specific about where the criminals are working. By coordinating efforts through NC3, these three forces will be able to save time and resources and solve the crime faster.
Many Canadian provinces are considering creating digital identity cards to replace drivers’ licences and medical cards. How will these help fight identity fraud?
There has been a national effort going on for the last five years, led by the Digital Identification and Authentication Council of Canada, to create standardized digital identities that will be used in all aspects of our society: banks, government bodies, security companies, telecom companies and more. Canada isn’t inventing anything. Lots of other countries across the world have been using digital identities for the last 10 or 15 years: Belgium, Brazil, South Africa, even Estonia. So really, Canada is just getting into the 21st century. Digital identities will be hard for cyber criminals to forge because they combine identity information from different sources, for example, your passport number and your online purchasing or social media. The experience of other countries across the world has shown that digital identities are a sustainable way of protecting citizens’ identities. Estonia, for example, which has a population of 1.3 million, was the first country to use completely digital identities for everything from voting to purchasing consumer goods. The system was attacked by Russian sympathizers, but they recovered and survived and it is still working.