3 Emerging Cyber Threats We’re Not Ready For in 2019

Experian released its predictions for the breaches we can expect to see this year. Here are three newly emerging threats you might not be ready for.
By: | January 22, 2019

For the sixth year in a row, credit monitoring and data services company Experian has released its predictions for the breaches we can expect to see in 2019.

Last year, it surmised that new EU data security regulations, vulnerabilities created by the Internet of Things, weaponized artificial intelligence in the hands of hackers, and increased attacks on governments and critical infrastructure would be the top cyber threats. On the whole, they were half-right. (See Experian’s full report and their scorecard of past predictions here.)

For 2019, the company foresees several types of attacks taking place. These three are the newest emerging threats:

1) Biometric Hacking

Many IT professionals are incorporating more biometric data in their authentication processes, and the approach does seem to be the most secure. All of our thumbprints are unique, after all. But hackers have already proven once again that where there’s a will, there’s a way.

Michael Bruemmer, vice president, data breach resolution group, Experian

“You can actually 3D print a replica of someone’s face to fool facial recognition technology,” said Michael Bruemmer, vice president of Experian’s data breach resolution group. Some Android phones have unlocked when shown a simple photograph of their owners’ faces.

Scans of facial features and fingerprints are also stored and can be stolen the same as a typed password or numerical code. As many as 5.6 million fingerprints were stolen in the 2015 breach of The Office of Personnel Management. An increasing number of facilities and police forces are also using facial recognition technology for security purposes.

“Most people don’t realize how much biometrics affect daily life,” Bruemmer said. “It’s in the airport check-in process, employers use it to track time and attendance, law enforcement uses it. Almost all of our devices use some form of biometric confirmation.”

2) Gaming as a Cyber Attack Launch Pad

Online gaming has soared in popularity over the past few years. About one-quarter of the world’s population are gamers. According to Statista, free-to-play and pay-to-play massively multiplayer online (MMO) gaming generated roughly $19.9 billion in 2016, and the data volume of global online gaming traffic is forecast to grow from 126 petabytes in 2016 to 568 petabytes in 2020.

“Gamers are comfortable with the dark web, they have great computer skills, and they operate anonymously. So it stands to reason that they have the skills and the motivation to hack into other games in order to steal valuable data like credit card information or other PII,” Bruemmer said.

“Gamers are comfortable with the dark web, they have great computer skills, and they operate anonymously.” — Michael Bruemmer, VP, Data Breach Resolution, Experian

Experian’s report also states “tokens, weapons, and other game pieces… are worth a lot of money within a gaming community. … a hacker can take over someone else’s avatar and identity within a game without detection and walk away wealthy.”

In late December of 2018, the browser-based game Town of Salem suffered such a breach that went unnoticed for days while employees were away on holiday break. Stolen data included email addresses, usernames, IP addresses, game-related activity, passwords and payment information.

3) Multi-Vector Dark Web Attacks

Phishing emails, malware-infected links and theft of authentication information are still cyber security risks to watch. But after a multitude of attacks and lessons learned, “security teams do have the tools and systems in place to mitigate these types of attacks,” Experian’s report said.

The attack we’re not ready for is the one that turns our own devices against us. Wannabe cyber criminals can easily purchase botnet installation software on the dark web. Botnets are connected computers that work together to perform a task and are always running in the background to keep websites updating. But run by a malicious hacker, they can be used to take over your computer.

Essentially, multi-vector attacks turn your device into a foot soldier for the enemy.

Security firm Norton describes malicious botnets aptly: “More often than not, what botnets are looking to do is to add your computer to their web. That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.”

Essentially, multi-vector attacks turn your device into a foot soldier for the enemy. This provides an exponentially larger attack surface for cyber thieves to collect PII.

“You don’t have to be technologically sophisticated to carry out an attack like this. You can buy kits on the dark web and follow the instructions to install malware, or hack into Bluetooth, or spoof a free public WiFi spot. This allows people with very little computer literacy to get into the game of stealing information,” Bruemmer said.

“We believe there will be a number of multi-vector attacks coming from the dark web in 2019.”

Risk Mitigation Strategies

Additional predictions include enterprise-wide skimming attack targeting a major financial institution; an attack on a major wireless carrier that could potentially disable all wireless communication in the U.S.; and a breach of a top cloud vendor that compromises sensitive information of hundreds of Fortune 1000 companies. Though these threats aren’t new, Bruemmer said he believes they will happen at larger scales and cause significantly larger losses.

Though cyber crime is evolving all the time, there are a few basic steps companies can take to protect themselves. These include multi-factor authentication that does not rely on biometric factors; encrypt biometric data when it is used; monitor networks for anomalous transactions; never rely on public WiFi; and train employees not to click on links or open attachments from unfamiliar sources.

As a rule of thumb, “don’t be afraid to be suspicious,” Bruemmer said. &

Katie Dwyer is a freelance editor and writer based out of Philadelphia. She can be reached at [email protected].

More from Risk & Insurance