Jamie Woodruff is a certified penetrator and ethical hacker. He will be addressing the Euforum congress Toekomst van het Betalingsverkeer. A lot of technologies will change the world forever, but the humans appear to be the constant factor: and the weakest one.
“When you run a company, your employees are your first line of defense, and they are your last one. So it is scary to see how vulnerable they all are for all kinds of attacks on their security systems. As an ethical hacker and certified penetrator, I get paid by companies to assess their security. So I run tests on their systems, and their software. But I also check the awareness of their staff. My main advice is for clients to make sure your physical environment is safe, and let the hackers do the online part of your company security.”
Hackers improving your online security: how does that work?
“Many companies and platforms already have bug bounty programmes, inviting hackers to look for bugs in their systems. Hackers that succeed get an amout of money for showing the bugs. Now the price tag of thousands of dollars may seem high, but the damage that can be prevented this way is often much more valuable. And of course, there will be good guys and bad guys among the hackers, and some are in the middle. The amount of money, and the knowledge they truly hurt many people if they take advantage of the bugs, could make them step forward.
For example I found bugs in three world leading platforms, while playing with my phone. It took me fifteen to twenty minutes. If you get a few thousand pounds for disclosing this find, one could easily run a household for twenty thousand pounds a month. Even without submitting to hundreds of bug bounty programmes.
Do banking institutions also offer these bounty programmes?
Financial offices and institutions are participating in hacker bonds. And sometimes they have bug bounty programmes as well. But in the same time they still use outdated ATM machines and computer systems from the nineties. A few years ago, 95 per cent of the ATM machines were still using Windows XP programmes, even though Microsoft no longer supports the software.”
On the internet, various examples of hacking techniques can be found. Where is your specific field of expertise?
“I am specialized in the human part of the security. We specialized in people’s behavior, in subliminal conscience. We test people’s willingness to click on infected emails, go to infected websites. But we also do social engineering – which goes as far as getting a job as a pizza deliverer to get past a client’s reception and security, so that we can put our data sniffer near the company’s data server – or simply ringing employees, sending phishing emails and walking into companies to extract data. Many companies are not aware of how vulnarable they are.”
You will be addressing the Future of Payments’ Congress. Will your presentation leave your public reassured?
My presentation is actually going to be quite scary. I know I could go on stage and tell statistics. But this will make me loose their attention. Instead I am going to show them what is possible, and how easy it is to get the information you require. Even without breaking any law.
So what is needed to get the security to a higher level?
“Most companies are used to spending large amounts on hardware. Bigger hard disk drives, new work stations. They expect all problems in cybersecurity to be solved by hardware or the IT department. But meanwhile the biggest issue is about the lack of awareness of the employees. If they are not properly trained, their behaviour will cause damage to the company. They open infected emails containing ransomware and even infect their own backup systems with that ransomware. Companies loose millions of pounds like this. And the damage could have been prevented by training.”
In your opinion, what is the future of payments going to look like?
“I think there is going to be more blockchain technology. We are more and more online. We spend more than half our time online. We get more dependent on online for running our businesses and our daily lives. That is a huge risk if we do not pay attention to our own cybersecurity. As long as we give our six year old child an iPad, and tell them to choose 123456 as a password, we do not teach our own children the awareness that is needed for our time and theirs. And that is where it should all start.”