Source : Sarawak Tribune dated February 9, 2021

Husin Jazri

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. 

– Stéphane Nappo, Global chief information security officer at Société Générale

Being a cybercrime victim is not fun at all. It is very hard and frustrating. A lot of time and money is wasted along the way, and not to mention the pain of going through all the necessary reporting processes with no guarantee of positive outcome in the end.

Dealing with cybercrimes in many instances is more complex than physical crimes due to the borderless internet and the need to deal with many legal jurisdictions along the way to get the investigation going and appearing before the court. In certain instances, the compensation that we may get once the case is over might not help or even be the solution.

Who can possibly become victims of cybercrimes? The answer is simple — everyone and anyone. A nation state can become victim, while companies, and organisations too are not spared. And the largest are individual users of the internet, whom we refer as netizens, citizen online or online users wherever they are.

Recently, Malaysia has had three cyber-attacks that we know publicly. The APT28 Fancy Bear, hackers from a neighbouring country and the latest, Anonymous Malaysia. These are examples of attacks at a nation-state level. Playing victims at a nation-state level is hard and unpleasant. Despite the relatively small successes of the attacks, the coverage of these attacks on public media can be embarrassing, exposing the loopholes of the critical national infrastructure defences.

Companies and organisations are also under constant cyber-attacks. The word ‘constant’ is used because cyber-attacks can be automated by artificial intelligent programmes to look for known vulnerabilities and carelessness waiting to be exploited.

The hardest hit cybercrime victims are the netizens. It is the hardest because the attacks hit at a personal level, creating emotion distress that can be very lonely to face, besides the loss of monetary, data and/or reputation that is already inflicted.

As for the nation-state level cyber-attacks, the problems are endured with adequate resources, with monetary and professionals’ reinforcements to stop, prevent and pursue. As for companies, most of them can cope and continue with business continuity plans, barring a few companies that went bankrupt and ceased business operations, when their core business was badly hit by reputational damage or regulatory compliance breaches, unfortunately.

There are many ways to launch cyber-attacks, and remedial actions and solutions are always limited, costly, emotionally painful, and can take a long time to address. We will go through one real-life case study to help us understand better these challenges, with actual info from the incident which has been changed to protect the victim’s reputation.

Auntie Kiah is in the food business and generates good business by working from home and making use of social media channels, particularly Facebook (FB). On one unlucky day, a hacker hijacked and took ownership of her business FB page and account. She struggled to get back the FB account and her credit card information was used by the hacker to purchase online adverts.

Let us analyse this case in detail and appreciate the hardship that this netizen had to go through by herself to get back what was once hers. 

First, when the FB account was created it was registered under the freelancer’s name and email address, not hers. She could no longer find him as it was years ago.  Then she escalated her case to Cyber999 service, also known as MyCERT, as she was advised to do so. Cyber999 is a free service run by Cybersecurity Malaysia, and this service is funded by the government to help Malaysians cope with complexities of cyber incidents. Based on actual record, at best, this Cyber999 service escalated her case several times to Facebook, and there was nothing more they could do, except wait for a response from FB. 

Anyway, she had to do the same reporting on her own through the FB incident portal with or without the help of Cyber999 — which is a dead end for Auntie Kiah in this case. As she is not tech-savvy, this reporting process proved to be complex and confusing to her. Let us call this the first emotional stress or agony.

Second, since the owner record in the FB was not hers, but the freelancer’s, FB did not want to communicate with or help her to take back her hijacked account as they did not want to put their company at legal risk of helping the wrong individual. She waited and waited for many days, hoping for some miracle to happen. Let us call this the second emotional stress or agony.

Third, as the hacker got hold of her credit card info from the FB account, the culprit purchased some stuffs online using her credit card. She uses this credit card to pay for the service to increase the visitors to her FB page. In the end, she had to make a police report to stop it. Let us call this the third emotional stress or agony.

Fourth, she had to go to her local bank as well to stop the credit card service immediately, and the bank was slow to act and the hacker managed to make another round of purchase using her credit card before the bank stopped it. Let us call this the fourth emotional stress or agony.

In the end, she lost her FB account for good and was so unfortunate that the hacker sold her FB page(s) to some other buyers online. Let us call this the fifth emotional stress or agony.

She lost her customers’ info due to this case, and money as well through illegal credit card purchases. Let us call this the sixth emotional stress or agony.

ESPC logo

Based on the above real case study, we should know by now that getting back what we lost online is a hard and complex issue. Auntie Kiah had to go through a sixth emotional agony and in the end, she got nothing but wasted time and money.

Therefore, we would like to stress the importance of embracing all necessary efforts to prevent ourselves and our loved ones from becoming cybercrimes victim. The agony to rectify it is much more than the burden to prevent it from happening. This is especially true for all of us, as individuals, in this cross border digital world.

Till the next time, always be safe and think many times before clicking to accept any online offer.

• Serba Dinamik ESPC provides cybersecurity and privacy services end to end to any interested parties locally and abroad. More info is available on our website https://www.espc2go.com

Assoc Prof Col (r) Datuk Dr Husin Jazri CISSP is Senior Vice President Cybersecurity, Serba Dinamik Group Berhad and Chief Editor of ESPC. He is a member of UNIMY Board of Governance/member of Malaysia Crimes Prevention Foundation. Husin obtained his PhD in Computer Science (Cybersecurity) from National Defence University of Malaysia, Masters (Distinction) in Information Security from Royal Holloway University of London, UK and MBA from University Putra Malaysia. He was the recipient of the prestigious global cybersecurity award, the Harold Tipton Lifetime Achievement Award by the ISC2, USA. (Email: hjazri@e-serbadkgroup.com/drjazz@espc2go.com )

The views expressed are those of the author and do not necessarily reflect the official policy or position of the New Sarawak Tribune.

By ESPC