Don't be a Cyber-victim - onc.hk · • Recipient bank account was an account maintained with CCB ... bona fide. change of position ... • Only download software, ...

Don't be a Cyber-victim 切勿成為網絡受害者

Easy steps to mitigate the risk of Cyber-attack 一些減少網絡襲擊風險的方法

Dominic Wai, Partner, ONC Lawyers 31 October 2016 The Hong Kong Electronic Industries Association This presentation is not an exhaustive treatment of the area of law discussed and cannot be relied upon as legal advice. No responsibility for any loss occasioned to any person acting or refrain from acting as a result of the materials and contents of this presentation is accepted by ONC Lawyers.

2 Sept 2016 © ONC Lawyers 2016. All right reserved

Case Study

3

Globenet Droid Ltd v Hong Kong Hang Lung Electronic Co (a firm)

Sept 2016 © ONC Lawyers 2016. All right reserved

• Early 2013: • Plaintiff looked for supply of

batteries

• They came to know a company named CP and they had been contacting it via a person purported to be “Nelson Zeng”

4

Facts – Plaintiff (1)


• In emails, the email address itself will be shown in “< >” after the sender’s name:- • E.g. “X <abcde.abcde.com>” • “X” can be whatever the sender likes to enter

• In the email correspondence with P, the person(s) purported to be

“Nelson Zeng” was shown in the emails as:- • “[email protected] <[email protected]>” • “Nelson Zeng <[email protected]>” • “[email protected] <[email protected]>”

5



• “Nelson Zeng” told P in an email that any payments to be made to CP should be made to a bank account of its affiliate company

• After comparing prices, P decided to place orders with CP and it contacted CP by phone; the communications were then made with the true Nelson Zeng and the true CP

6



• June 2013: • P received from “Nelson Zeng” a Proforma Invoice:-

• Under letter head of the D’s name in English but CP in Chinese • Bore a company chop with D’s name in English but CP in

Chinese • Recipient bank account was D’s HSBC bank account

• P subsequently received another Proforma Invoice from the

true Nelson Zeng (the true CP) • Under letter head of CP both in English and Chinese • Bore the company chop of CP both in English and Chinese • Recipient bank account was an account maintained with CCB

in HK

7



• On 4 July 2013: • P made an online transfer of US$104,260 from P’s HSBC

bank account to D’s HSBC bank account (pursuant to 2nd invoice)

• Reasons:

• “Nelson Zeng” had told P that it had to make payment to CP’s affiliate account

• P thought D was CP’s affiliate • Transfer from P’s HSBC account to another HSBC

account would save some bank charges

8



• April 2013 • D received an email from a person named Robert Ford,

inquiring about its products and seeking quotations for his customers

• Robert Ford claimed his customers and financiers wanted to transfer up to US$30,000 to US$50,000 into D’s account, because they had other engagements in China and thus wanted to use this opportunity to send the total money they need to D’s account

9

Facts – Defendant (1)


• July 2013 • D agreed with Robert Ford that the purchase price of the

goods of D should be US$16,500

• D received US$104,246 (actually transferred by P)

• D asked Robert Ford by email:- • Why are you doing this way? • You paid 104,246, but now the total amount of products is

US$16,500, you still have US$87,746 in our bank account, what are you going to do?

• Robert Ford replied that he would need the money to purchase goods himself

10



• July 2013 • The RMB equivalent of US$87,746 was transferred from the

bank account of one Mr. Lau of D maintained with ICBC in PRC to a bank account maintained with BOC in PRC designated by Robert Ford

• A representative of Robert Ford took delivery of the goods which purchase price was agreed to be US$16,500

11



• D has failed to establish the defence of bona fide change of position or any part thereof, it must follow that P should be able to recover US$104,246.00

• D do pay P costs of this action

12

Outcome


• For payer and payee: whenever there is doubt or unusual circumstances, do make INQUIRIES

13

Conclusion


Recent Fraud Trend Surveillance

of target company

Identify key

individuals

Fraudulent email

requesting transfer

Pressure emails

Transfer to fraudster’s

account

Further requests

• Public Information

• Inside Information (hacked)

• Phishing Emails

• CEO • CFO • Financial Controller

• Appears legitimate

• From similar address

• From hacked account

• Timing

• Further email exchanges with imposter

• Overseas account

• Money moved again (hard to trace)

• Often successful

• Not worried about being caught

14

“John, our longtime supplier BestCo is having tax re-structuring issues and wants us to make this month’s

payment to a different account. Can you please arrange urgently. I’m attaching the remittance instructions.”

15

From: Linkedin Security®[email protected] To: Subject: Linkedin Security Validation

16

Hi Account User, Due to a recent upgrade in our database, you are required to validate your account information with us to ensure that you are on our database system. Failure to do this might lead to a brief suspension of your Online access, pending verification. Please CLICK HERE <http://www.totaldisplayfixture.com/Direct/login.html> to start your account verification process. LinkedIn 2016 Support Team

mailto:[email protected]

Phishing Email

• Emails (or other medium) pretending to be from a genuine source or someone you know to gain your trust and convince you to do something that benefits the fraudster.

• Spotting phishing: • Be suspicious • Does the communication make sense? • Ask you for confidential and private information like

logins or passwords. • Ask you to open attachments or click on a hyperlink or

visit some websites. • Check Message Headers – Email meta-data that

includes message routing information. • Don’t “Reply”, “Forward” the email when replying if the

email is suspicious. • Contact the person – call the person to verify.


Types of Major Cyber Risks facing HK companies in 2016

• Ransomware • Business Email Scams/C Suite Fraud • Destroying Critical Systems • Theft of Personal Data and

communications (e.g. emails) – misuse and disclosure

• Attack on networking devices

Source: FireEye Cyber Defense Live Hong Kong 2016


Types of Cyber Risks facing companies

Targets • Financial Services • Media & Education • Telecommunications • Law firms


Risks and Loss

• Financial Loss • Loss of Intellectual Property

(confidential information and trade secrets)

• Money Theft • Business disruption – loss of trust;

loss of business opportunity • Damage to reputation (repeated

citation?)


Risks and Loss

• Exploitation of devices – who is liable? • Time and costs incurred on dealing with investigations

• LEAs • Regulators – e.g. privacy commission – duty to

notify or report the breach? • Regulatory sanction • Claims

• By victims and 3rd parties • Liability to counterparty (persisting payment duty;

contractual obligations) • Multiplicity – incidents, areas, jurisdictions


Risks and Loss

• Outside (Technology) • Hackers • 3rd party and outsourcing • Cloud • Security weak websites

• Inside (People & Process) • Inadvertence/System Glitch/Human Error –

unaware and unrecognized vulnerabilities • Rogue/disgruntled employees and insider

• Outside/Inside • BYOD – where is your endpoint? • Free Wi-Fi


Cyber Risk Prevention and Protection • Tech is pervasive and it’s only a matter of time that you will be

hacked or disrupted in a bad way. • It’s not just an IT issue – it’s people, process and tech. • Everyone has a part to play and humans are the weakest link. • Difficult to catch the culprits – they are anonymous, out of the

jurisdiction and data and money moves at lightning speed.

• What can you do? • Raise awareness and training • Situational awareness – digital footprint - the Dark Web • Where are your jewels? • What are your weak points?

• Risk assessment • Legacy systems – updates and upgrades


Cyber Risk Prevention and Protection

• Consider buying cyber insurance (but do not ignore IT security) • Risks generally covered by cyber

insurance policy: • Personal Data Liability • Corporate Data Liability • Data Security Liability • Defense Costs

24

Cyber Risk Prevention and Protection

• Have a plan • Crisis management • Resilience

• Test and monitor – does the plan work and are people following policies.

• Vet – staff, service providers, cloud. • Beware of Free Wi-Fi. • Record/paper trail – responses,

remedies and mitigation.


Response, Resilience, Recourse and Remedies

• Initial Response to Cyber Attack

• Engage experts if you have not already done so at the prevention stage:

• Legal - legal advice and legal professional privilege

• Forensic • Public relations



• Initial Response to Cyber Attack • Questions that the board should be

asking: • Was data stolen? • How does it impact our business? • Who did that? • How did they get in? • How much access did they have? • How do we remove it? • How do we prevent it from happening

again?



• Investigation

• The investigation after initial response serves the following purposes:

• Gain a fuller understanding of the computer

intrusion.

• Increase its chances of identifying the attacker.

• Detect previously-unknown security vulnerabilities.�

• Identify required improvements to computer systems.



• Law Enforcement • Companies should maintain a close connection with various law

enforcement representatives to discuss before an incident occurs: �

• When should the company report the incident to them.

• How the reporting should be performed. • What evidence is needed. • How evidence should be collected.


Passwords

• Strong Passwords: • Use a combination of lowercase, uppercase,

numbers, and special characters of 8 characters long or more like s9%w^8@t$i.

• Use short passphrases with special characters separating to make it difficult for crackers and could be easily remembered like cry%like@me (cry like me).

• Avoid using the same combination of passwords for different websites.

• If it is difficult for you to remember different passwords for different websites, then use Password Manager applications like RoboForm, 1Password, LastPass.


Ransomware

• Advice from FBI • Implement a robust data back-up and recovery plan. Maintain

copies of your files, particularly sensitive or proprietary data, in a separate secure location. Back-up copies of sensitive data should not be readily accessible from local networks i.e. store the back up offline.

• Never open attachments included in unsolicited emails. Be very vigilant about links contained in emails, even if the link appears to be from someone you know. Go to the links DIRECTLY.

• Keep your anti-virus software up to date. • Enable automated patches for your operating system and web

browser. • Only download software, especially free software, from sites

you know and trust. • Don’t pay the ransome (HKCERT advice too)


THANK YOU


33

Dominic Wai Partner of ONC Lawyers 19/F., Three Exchange Square, 8 Connaught Place, Central, Hong Kong. Tel.: 3906 9649 Fax : 2804 6311 Email : [email protected]

34

Don't be a Cyber-victim - onc.hk · • Recipient bank account was an account maintained with CCB ... bona fide. change of position ... • Only download software, ...

Documents