How ‘digital transformation’ gave birth to a new breed of criminal: ‘machine-identity thieves’

By Byron V. Acohido

There’s a new breed of identity thief at work plundering consumers and companies.

However, these fraudsters don’t really care about snatching up your credentials or mine. By now, your personal information and mine has been hacked multiple times and is readily on sale in the Dark Web. This has long been true of the vast majority of Americans.

Related article: 7 hacks signaling a coming global cyber war

The identities most sought after by cyber criminals today are those associated with machines. This is because the digital wizardry driving modern society relies heavily on machine-to-machine communications. And guess what? No one is really watching authentication and privileged access, with respect to those machines very closely.

It’s my belief that every consumer and every company will very soon come to realize that a new breed of criminal – machine-identity thieves – will soon become all-powerful, and not in a good way. Here’s why:

Fresh attack surface

 If you haven’t heard, we are undergoing “digital transformation.” Digital advances are coming at us fast and furious. Consumers have begun accustomed to conveniently accessing clever services delivered by  a sprawling matrix of machines, and not just traditional computer servers.

The machines enabling digital transformation include virtual instances of computers created and maintained in the Internet cloud, as well as myriad instances of software “microservices” and “containers” that come and go as part of the dynamic processes that make all of this happen.

Each machine must continually communicate with countless other machines. And as the number of machines has skyrocketed, so has the volume of machine identities. From a criminal’s perspective, each machine represents an opportunity to slip into the mix and take control. And each machine identity represents a key to get in the door.

 Machine-identity capers

The creation of this vast new attack surface isn’t just theoretical. It’s tangible and threat actors are on the move. “Hackers are stealing machine identities, and using them in attacks, and it’s happening more and more,” says Jeff Hudson, CEO of security supplier Venafi.

Havoc already is being wreaked. The most recent example comes from Timehop, a service that enables social media users to plug into their past. On Sunday, July 8th, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Misuse and manipulation of machine identities almost certainly is coming into play in the type of deep breaches digitally-transformed organizations are now experiencing.

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment. In the Uber hack, a company software developer sloppily left his logon credentials for Uber’s Amazon Web Services account out in the open, where it could easily be stolen. A hacker snapped it up, and subsequently navigated deep into Uber’s AWS platform to steal personal data for 50 million passengers and seven million drivers.

In Tesla’s case, a company insider had  on his mind. The disgruntled employee reportedly hijacked a co-worker’s credentials as a starting point to gain access to sensitive systems. He then altered manufacturing production codes and pilfered copies of sensitive business data.

Security responsibilities

A very big challenge lies ahead. Companies are in a honeymoon period with digital transformation. Everyone drools about the speed and agility of digital advances; this takes focus away from shoring up of essential security systems and best practices.

The basics include going through the trouble of taking a detailed inventory of sensitive data and systems, including all machine identities in play. The technology to accomplish this is readily available. Senior executives need to make smart decisions about security purchases and set the example for living and breathing security best practices.

And individual employees (who also happen to be consumers) need to take on their fair share of this burden. We love convenience, social media and clever apps. Yet we need to come to grips with the notion that machine-identity thieves are about to take us down a road we’ve never been down before, in terms of cyber exposures.

Get used to the idea of using digital services much more circumspectly at home – and especially at work.


(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone