KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
We see stories on data breaches every week, happening due to weak cyber security. Massive fines are issued based on GDPR, PCI, and consumer protection around the world. Proactive. fast & efficient handling of cyber security incidents is a key to survival for any organisation, but there are also costs that are rarely mentioned: the personal consequences for those affected by a data breach.
We see stories on data breaches every week, happening due to weak cyber security. Massive fines are issued based on GDPR, PCI, and consumer protection around the world. Proactive. fast & efficient handling of cyber security incidents is a key to survival for any organisation, but there are also costs that are rarely mentioned: the personal consequences for those affected by a data breach.
Good morning everyone. And thank you for having me here as a speaker today, I'm working as the chief security officer of knowledge choice hotels. We are 210 hotels, 18,000 employees in six countries. That's my daytime job. And my hobby, my main interest in life is passwords and digital authentication. And I am so interested in this topic that, well, you can try to guess what my car license plate says in Norwegian. It says password. And I actually have on Twitter, a dialogue with Dr. Komack Curley. Who's a famous researcher at Microsoft research.
I wrote on Twitter that I have a verbally, I have it verbally from Comack Curley with a witness present that he's interested in passwords will, I'm obsessed with it. Komack please confirm statement. And he responds in public on Twitter saying, confirm. I have a he curiosity while em is pathologically obsessed because I have been researching passwords for more than 19 years. I'm not interested in cars, sports, or not even beer. I do passwords.
And for this introduction today, I'm doing a talk later today at 2:30 PM, where I will also give you the best use that you have probably received the entire year, unless you have got married or got a new child. So I encourage you to come to my talk in this room at two 30, but in this talk, I will go back in beginning to in the beginning, August not surprisingly being obsessed with passwords, I'm also single. There's obviously no connection between the two, but I was having female companionship at home.
Back in August, we were having some good food and wine, and I have turned down the lights and we were watching Netflix and suddenly the phone rang, you know, a small beep on the phone of my companionship in the couch. And I stopped Netflix. And of course I, you know, I will give her some privacy. So she starts typing on her phone and it, it, you know, it takes some time, you know, my patients are just waiting and suddenly she turns to, she turns to me and says, is it normal that Netflix ask for your social security number?
So I, you know, I turned on lights and I said, romance is that we have a security issue at hand to give me your phone, please. So this was a text message that she had received.
And well, you know, you probably understand what this is. It's a Netflix scam, of course. So in that moment, she had given away her use username and her password for Netflix and was just about to give away her social security number as well. Now this is a simple scam and we see that all the time. And does it affect anyone? Not really, not even her, because if you can get access to somebody's Netflix account, well, they can watch movies and they can figure out what you have been watching.
That's it, they can't get hold of your credit card. They can end your subscription, big deal. There's a typical example of a very typical scam that we see these days. You can also look up visualizations of breaches that are happening every year. Information is beautiful. Dot net has this ongoing tracking of personal data breaches around the world. You can find Facebook 420 million data, Twitter, 330 million married hotels, 383 million. And this is just for the past two or three years. And you can see even more here. You can learn about all these breaches and these are the big ones.
These are not the breaches that include 10 people, a hundred people, you know, a hundred thousand people today. Isn't really a big breach anymore, but a hundred thousand people that is a lot of people still. I could also talk about the Norwegian company nor who got compromised by ransomware. And the estimated cost is somewhere between 350 and 400 million Norwegian. Croner 35 to 40 million euros. I could also talk about the Danish company mask two years ago, hit by not patio ransomware.
Again, total cost 350 to 400 million used dollars, wired, wired rights, triple ports, powered corporations, frozen government agencies. How a single piece of code crashed the world. This story really made headlines around the world. Now here's one of the stories that I use when I do my talks. And this is for real, this is the news agency associated press on Twitter several years ago. And one day having 1.9 million followers, they suddenly tweeted out this message, breaking two explosions in the white house and Barack Obama's injured. Now that was fake news. It never happened.
There was never two explosions in the white house and present wasn't injured. And this only happened on the Twitter account of AP, no other news organization and no other media channel brought this news. And it's just a tweet. And did this have any kind of impact?
Yes, it did. The DOE Jones index actually fell by 136.5 us billion in a time window of seven minutes, where DOE Jones stopped trading to figure out what happened. And what happened was that the Syrian electronic army and not to be too political, but these guys are hackers. We don't know if they are dead today. They haven't been active for some time now, but at the time they said they were supporters of cresident Lazard in Syria and his Rashi.
And we, what did, what we don't know is whether they, the hackers or the regime made any money from this incident. Now it's getting more serious because then we have political activism, activism into the big picture. It's just not money anymore. Six years ago, the Norwegian government agency for financial supervision and regulation said in their annual report, that they were expecting a wave of mobile hacking in Norway. The reason for that is Norway was incredibly early with mobile banking today. Pretty much anyone in always using their smartphone for doing online banking.
You can of course use your desktop computer at home as well, but almost everyone are using the mobile phone. And they said six years ago that we do expect a wave of hacking. Now that didn't actually happen yet. But one of the issues that I've been talking about is mobile hijacking. This is not a new phenomenon. This has been known worldwide for many, many years, but what happened in Norway is that it became a big issue this spring in March and April, I've been spending a couple of years researching this for, especially for Norwegian market.
And I called the largest financial newspaper in Norway and told them what I had been researching. And I also asked them to do some stories on this and some additional research that I can't do, because it would be at least very close to being illegal. But as a media organization, they can because of their role in society as a news organization. So mobile hacking mobile hijacking is about Porwal out attacks, essentially moving your mobile subscription to another provider and your new SIM card. There can also be SIM swap attacks where I will just go into some store and tell them that I am you.
And I need a new SIM card. And quite a few cases. I will succeed doing that. And as soon as I install the new SIM card and start using it, your SIM card will stop working. You won't be able to call anyone and you won't receive any phone calls and all text messages and all phone calls for you will come to my phone and my SIM card in your night. That could be a big problem to some there's also spoofing attacks where I can send text messages or make phone calls.
And they will look as they are coming from you or from a lawyer or from the police asking you to come into their office tomorrow morning for suspicions on financial fraud for your next general elections in Germany, maybe I could send some messages, text messages to report us in TV and newspapers. And the messages look like they're coming from one of your, let's say controversial Politic with some fake news. That appears to be crazy, but saying enough for the news organizations to eventually make a report on it without actually verifying the message validity.
And thus, maybe I could influence the German elections. Now we are getting really serious here.
Now, one of the things, the financial newspaper Norway did, they went out on the street. They got permission from one of the most famous bloggers that we have in Norway, young girl, Sophia Lisa. And they went up to some sales people in the street selling subscriptions for one mobile carrier in Norway and a female reporter says, hi, I'm Sophia Lisa. I would like to transfer my current subscription from this provider to you. And they said, fine. We can do that. Do you have some identification? And she said, I'm not sure I don't have my driver's license with me.
Well, do you have anything else? And she pulled out a fake business card that they had printed like 30 minutes earlier in the office. And she handed over that business card and they said, fine, let's do it that easy. And within, within hours, they would essentially have become, huh? So because of this who you are and are you authorized to do whatever you're trying to do is very, very important today as it was five, 10 and 20 and 30 years ago. And doing this online is increasingly difficult because the person that you are trying to identify is not standing in front of you.
You are identifying a digital persona, not the fiscal person behind the keyboard. And then we move on to the question of what can we do then, or as I like to say, what if I could be you?
Well, a newspaper in Norway wrote a story about chasing max. This happened earlier this year, and what they found is there was a woman anonymously named as Nina. And she woke up one morning seeing on her mobile phone that she had received several text messages from apple, Facebook, Google, and so on with account verification codes, as she didn't understand exactly what was going on until she realized that she couldn't access her apple account anymore, or her Facebook account or Google account or her Snapchat account, Instagram account and so on.
And Nina was smart because she was actually using two fact authentication for almost every single account she had online where you can do two fact authentication, but still somebody had gained access to her accounts. And she didn't understand why, but when the newspaper was examining this, they did figure out what was going on because at least two of the largest telecom operators in Norway are offering a service called SMS copy. So you can log on to the telecom provider on your account page, and you can configure SMS copy, which is essentially a service.
So when you receive a text message, the telecom provider will send a copy of that text message to another number that you have inserted. And that can be for your grandmother. That can be for anyone in the world, anywhere in the world. Or you can also configure this service to send a copy of all incoming estimates messages to you by email, to any email address you want. So the hacker had gained access to her account with the telecom provider and configured an email address in there.
So all text message suggests that she received was also being sent by email to his email address and nobody ever logs on to the telecom provider to look for what kind of services have been configured for the subscription. And this way, he was able to gain access unauthorized access to the social media accounts of more than 50 random women all across Norway. And he is now being held by the police and investigated for these crimes. And although this is not fiscal abuse, rape against women, it is as close as you can possibly get to do something like this.
So as a result of my research and the articles from the Norwegian newspaper, our minister of digitalization, equally script talked to the government agency that is overseeing the telecom businesses in Norway and told them to fix this. They said that all telecom providers operating in Norway have essentially broken the law by not doing proper identification and authorization. And they had to fix that as soon as possible. And not only did he do that, but he also issued a hearing from Norwegian government on September 3rd actions to rent mobile hijacking.
So this is a public hearing where anyone can read the proposal for a new law or essentially an improvement of current law saying that for telecom providers, if they are to issue a new subscription, move, delete or change the subscription, you need a proper digital identification of the person. And also some kind of authorization if somebody is acting on your behalf, But this talk is getting worse because I will talk about Ashley Madison as well. This is a true horror story. Ashley Madison is still operating today and it was a dating service with this slogan.
Life is short, have an affair EC translatable into any language, I guess. Now I'm not here to talk about ethics and morals. What you do is up to you, but they claimed when they got hacked that they had 37.5 million anonymous members all over the world. Now this is from the universal declaration of human rights, article 12. And this actually means something to me. No one shall be subjected to arbitrary interference with his privacy family home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to do protection of the law against such interference or attacks.
Now, the hackers issued a message saying, we have access to all your customer's data, including all the pictures. And if you don't stop your business completely within 30 days, we will release all the customer data into the wild for everyone to see, and to prove that we are serious. We will release information about one random person every day for the next 30 days from around the world. And you can call that person most, probably male and ask him, were you on Ashton Madison?
Oh, and by the way, here's your credit card. And they did. And they also even released the data for everyone to see. And we saw as part of this at a global scale, the companies were profiteering from this. We saw media organizations, laughing of people, E officials exposed in Ashley, Madison hack. The mail online says names of 37 million cheating spouses are leaked online, including bankers, United nations and oh, Vatican stuff. And Ashley Madison of course issued statements. We immediately launched a thorough investigation.
We apologize, no companies, online assets are safe from cyber vandalism, blah, blah, blah. They had shitty security period. And I will say that time and again, in public. And I was interviewed by our radio show in Norway, a very serious one, talking about lives, Manny complexes and ethics and morals. And I was telling them about a Norwegian man who called me because I was interviewed globally regarding this breach. And I told them that this man was in the breach. He actually helped me verify that the breach was for real, when the final data set was released. And he told me that I am nobody.
He said, I am married. I have two grown up kids who have left the family. And I had an account on national medicine. We've had our problems in marriage.
Like, I guess lots of people have had, but he said, I haven't met anyone. I haven't been with anyone. And to me that was like, I don't care. That's your life and your decision. And I said that he deserves his privacy. There's no way we can prove or disprove that he was cheating on anyone. And he asked me, can you help delete my data off the internet? And I said, no, I can't. That's not possible. And anyone claiming to do so, or just trying to commit fraud against you, they will take your money. And they will run. And I was in contact with him for several months.
Until one day I received this text message in Norwegian. I will read it in English. I'm not going to waste anymore of your time, but the potential of additional use damages due to the impact team, which were the name of the hackers being provoked by the slow legal process, et cetera, may keep the story in the media, tell the audience and others and warn them about if psychological hell a little bit of OUS online can lead to. I am almost a completely broken man. And I don't know if I will ever be able to stand up again. And I had a life full of great qualities.
He wrote not as whining, but as a matter of fact, and a strong warning. And that was the last message he sent to me before he killed himself. And that is what I considered the real cost of cybersecurity. Thank you.
