In a world of growing cyber security threats, our digital lives, both personal and corporate, are increasingly vulnerable
This article explores two cybersecurity incidents: a dreadful personal experience and a triumphant corporate one.
The Unexpected Phone Call.
It all started one chilly morning at approximately 5:45 a.m. I got an unexpected phone call from an unknown number. I was curious, so I answered the phone. On the other side was the voice of a woman:
“Is this Festus Iyere?”
I responded, “Yes, it is.”
She asked, “Did you authorize a payment to Facebook?” The answer was resolute: “No, I did not.”
She explained further that a payment had been made to Facebook from my account and was calling to verify its legitimacy. However, the call ended abruptly, and I dismissed it as a possible prank.
Later that day, I got another call weirdly inquiring about the same thing. This time, the caller was a man. With a deep voice, he asked, “Did you authorize a payment to Facebook?” Again, not taking it seriously, I confidently answered, “No, I did not.” Then he introduced himself as Oluwatosin from U.B.A. headquarters and confirmed a payment had been made to Facebook, depleting the account balance to ₦0.
Suddenly, everywhere became hot. I started sweating profusely. I hadn’t used my U.B.A. card in a very long time. I had it stored somewhere in my house, and when I went to check, the card was still there. The entire experience ruined my day. My account was wiped clean, and it took me a very long time to recover.
I still don’t know how this attack was done, but it could have been prevented in various ways.
- Multi-Factor Authentication: In recent years, many platforms have required customers to use multi-factor authentication methods, such as Time-Based One-Time Passwords (TOTP). TOTPs are temporary 6-digit codes that are typically valid for 30-60 seconds and can be accessed through SMS, email, software or hardware tokens. Other authentication methods include biometric authentication and security questions.
- Ignore Vishing and Phishing Emails: Phishing and Vishing are both cyberattack techniques that malicious actors use to deceive individuals into revealing sensitive information such as usernames, passwords, bank card numbers, or personal identification numbers (P.I.N.s). However, they differ in the method of execution. Phishing is a technique where attackers use deceptive emails, websites, or messages to impersonate trustworthy entities, such as banks, government agencies, or reputable companies. Generally, an email includes a link to a replica website asking for personal information or financial details. If the victim falls for the scam, their identity and personal data will be stolen to access their financial accounts or sell them on the dark web. Vishing, short for “voice phishing,” is a technique that uses voice communication, typically over the phone, to trick individuals into divulging sensitive information.
*Disclaimer* Cowrywise would never send an email or text message asking for access to your account, nor would we call asking for any code or password.
A Tale of Numerous Server Failures.
When it comes to digital platforms, server failures are a persistent challenge. Although some incidents are genuine, a considerable number of them are malicious. Out of multiple server failure experiences, one event stands out in particular.
At exactly 4:55 a.m. on a peaceful Saturday morning, my phone rang. Oddly, it was our C.T.O. The timing was unusual, so I immediately picked up the phone. Something had to be wrong.
“Hi Festus, Good morning,” greeted my C.T.O. in his baritone voice. “Our website is currently down. Could you please take a look at it?” The urgency in his voice heightened my concern. I promptly sprang into action, grabbing my laptop to investigate the situation.
At the time, we had not implemented real-time monitoring on all our servers, a gap that this incident was about to expose. As I investigated the situation, I discovered the root cause of the failure —a Distributed Denial of Service (DDoS) attack. The DDoS attack, characterized by overwhelming a target system, network, or website with an overflow of traffic from multiple sources, effectively rendered our platform inaccessible to our legitimate users.
I immediately got on a call with the infrastructure lead, Abdulrahman, whose response, thankfully, was very swift. We halted the ongoing attack and restored services. We immediately strengthened our defences, implementing real-time monitoring and deploying robust Web Application Firewalls (W.A.F.) across all our servers. These measures ensured that such disruptive incidents would not happen again.
This incident would serve as a pivotal moment for us regarding security. It was the last time, in recent memory, that a DDoS attack would breach our defences with any success. Since then, we’ve encountered countless DDoS attack attempts with no success.
At Cowrywise, we understand that safeguarding our users’ data and ensuring the reliability of our services is a non-negotiable commitment, and our actions reflect this dedication to corporate security.
Corporate Security: A Crucial Imperative.
The 2020 Twitter hack is a stark reminder of the evolving threat landscape in the digital age. Personal and corporate scams are rampant, with malicious hackers devising new methodologies like phishing emails and vishing to exploit individuals and organizations.
At Cowrywise, we understand the gravity of these threats. That’s why we are committed to a series on security, focusing on navigating and mitigating daily security challenges. From securing user data to protecting our platform, we take corporate security seriously.