Regis Billings, an FBI agent and cybercrime expert, recently investigated a case involving a transportation company that lost $340,000 in a single transaction.
The crime started by infiltrating the home laptop of an employee at the company. The criminal monitored the employee’s transactions and correspondence with other workers to discover a route to get into the company’s IT systems to misdirect funds.
Cybercriminals have become very good at monitoring computer networks, he said, and at routing their attacks through the software systems that companies use. They can jump into a fleet’s payroll system or break into an automatic bank drafting system, among other possibilities, to misdirect funds, he says.
“They want to know your process,” he said. In some cases, money may not be what they are looking for. Billings has investigated cases where hackers are nation states that infiltrate the IT systems of transportation companies to learn how they operate and steal intellectual property.
Billings took part in a panel discussion on cybercrime at the Omnitracs Outlook user conference, Feb. 26, in the Nashville Gaylord Opryland resort. He and two other panelists stressed a need for more cybersecurity around the “human elements” of transportation.
The panel agreed that drivers are the most vulnerable human element, as they interact daily with corporate IT systems using connected mobile devices and vehicles.
Panelist Ben Gardiner, principal security engineer for irdeto, cited research by a third party that showed many of the new electronic logging devices (ELDs) in the market lack basic cyber security. This is a concern, he said, since ELDs can be an entry point to a vehicle’s controller area network (CAN) and to fleet IT systems.
The experts at the Omnitracs conference said that fleets should at a minimum restrict their connected devices, such as tablets, to trusted websites, as cybercriminals will use links in websites to introduce malware to devices.
Malware is a code that installs on devices to read emails, capture passwords and other sensitive information.
Gardiner gave a website www.haveIbeenpwned.com that anyone can use to see if their email accounts and passwords have been compromised.
Panelists also cautioned attendees to not open attachments such as Word or PDF files from unknown email senders as these files may contain malware.
The most dangerous malware are links in websites that offer “free” porn, Gardiner said. He and other panelists also cautioned fleets to not use “free” products, which in some cases could be an ELD, since the only way products are free is that someone is using your data for its monetary value.
Some fleets may also be vulnerable by giving drivers access to Wi-Fi hotspots through mobile, in-cab telematics platforms. Cybercriminals can use these hotspots, if they are not locked down, to find and exploit information on connected devices in or around the vehicle, he said.
The panelists recommended using “two-factor” authentication techniques to give employees access to corporate IT systems. These authentication techniques use one-time use codes for passwords. The codes can be sent to the user via SMS texts to a driver’s personal mobile phone.
Mathew Carpenter, principal researcher for Grimm, an engineering and consulting company that specializes in cybersecurity, has been able to successfully hack into vehicle control systems using connected systems like telematics and ELDs.
Carpenter hacks into these systems for clients to test their security. Once connected to the CAN bus, he said a hacker could control the engine and even disable the brakes. Once a single truck has been compromised, a cybercriminal could potentially introduce malware to all trucks on the same mobile platform, he said, using an over-the-air update process.
FBI agent Regis Billings said it is conceivable that a vehicle could be hijacked by accessing its CAN bus remotely and bringing it to a stop. He is unaware of that scenario happening in the real world, however.
If a fleet is victim to a cybercrime, Billings said it is very unlikely to expect the FBI will retrieve any lost money, especially if that money has been transferred overseas. Tracking down criminals, not capturing lost funds, is the agency’s main goal.
“We’re all about putting silver bracelets on you,” he said.