Early in April, a financial advisor and her team met with an insurance company wholesaler via, as per the current coronavirus quarantine, the video conferencing platform Zoom.
Unbeknownst to them, another participant had joined the virtual meeting.
As the hacker captured details, the wholesaler named the price of a new policy and the advisor agreed to the terms.
It’s likely that even before the meeting ended the eavesdropper generated an email to the advisor so that it appeared to come from the insurer. In a later forensic analysis, an overlooked detail revealed the spoof: a single letter the hacker changed in the insurance company’s name.
After the meeting ended, the advisor received the message with instructions to wire money — in the low six figures — to a New York bank account. She did as instructed, sending the money to the hacker.
“This is how fast the bad actors are,” says Brian Edelman, cyber consultant and founder of FCI in Bloomfield, New Jersey, who the insurer brought in to handle the breach. (He agreed to provide only general details as he is legally constrained from discussing client cases.) Only rapid intervention by the FBI managed to recover the money, Edelman says.
Last week Zoom announced the most recent in a series of ongoing upgrades to its service including enhanced encryption and protection against tampering. The tool now comes with default passwords and participant monitoring, via virtual “waiting rooms,” among other features.
OFF THE TRACKS
In the midst of the COVID-19 crisis, similar fiascos are unfolding throughout the field of financial advice now, Edelman and other experts say — although not all with such happy endings. Given the rapidity with which the entire industry was forced to virtualize its operations roughly six weeks ago in response to the coronavirus quarantine, many advisors and their firms have not taken remedial steps to protect themselves from attacks (see below for 11 critical ones). When financial services went virtual in March, few advisors stopped to consider the agreements they clicked on to enable video meetings. Since then, sweeping security problems with such providers, including Zoom, have been reported.
Their lapses are putting billions of client assets at risk, those experts say. If even only a small percentage of the many trillions of dollars under management across all financial services is vulnerable, that amounts to billions on the line, says Sid Yenamandra founder of cyber security software provider Entreda, based in Santa Clara, California.
“It’s a train wreck,” says Edelman, whose firm provides cyber security consulting to large banks and other financial firms, such as TD Ameritrade. “Without question we are facing the single largest data breaches in the history of financial services today.”
A Zoom spokesperson says the company has taken complaints seriously. The company’s CEO Eric Yuan now holds weekly webinars highlighting security upgrades and users can access regularly posted tutorials, training and webinars on how to better secure their meetings.
The dangers are real and come not just from hackers making use of video conference platforms, experts say, but from the platform providers themselves, potentially. Many apps own content generated during the meetings they host, according to privacy agreements users click to accept.
For example, Zoom can automatically generate transcripts of meeting conversations and later data mine those transcripts, according to Consumer Reports. A Zoom spokeswoman pushed back against that characterization saying Zoom does not monitor its users meetings, does not sell users data and “has no intention” of doing so going forward.
“Working from home is fundamentally changing the risk paradigm for all industries, but particularly for wealth managers,” says Yenamandra, whose clients include hundreds of RIAs and eight of the top 15 broker-dealers.
The scope of the change is illustrated by the explosion of Zoom’s user base: From 10 million users in December, Zoom’s users have mushroomed to 300 million this month, the San Jose, California-based firm reports.
That upswing includes people in financial services, banking and asset management professionals who collectively manage trillions of client dollars. To cope with the night-and-day change in their ways of doing business, many firms left highly secure systems tightly overseen by their firms’ IT departments and allowed their advisors to move onto whatever setups they’ve got at home.
LOSS OF CONTROL
Resulting total dollar losses to the industry from theft through unsecure virtual channels are “going to be huge,” says cyber consultant Wes Stillman, of RightSize Solutions in Lenexa, Kansas.
“Do you think home networks are as secure as what you’ve built in your company’s RIA office?” asks Stillman, who is a Financial Planning contributing writer. “The answer is probably no. But yet we said, ‘Hey, jump on your home network and do business as normal. That is very scary to me.’”
And scary as things may seem now, it’s in the coming months from now that advisors and their firms will start facing tough questions in court as mounting claims to cyber insurers roll in, agree Stillman, Edelman and Yenamandra. All three consultants’ firms provide planners and firms with cyber software or support packages.
HACK OF FAMILY-RUN RIA
In the matter of the bogus insurance policy wire transfer, the money was recovered only because the loss was quickly discovered, Edelman says, but increasingly hackers are figuring out ways to build in delays to ensure wire transfers cannot be clawed back by authorities.
In a matter Stillman handled, two family members who own an RIA left town at the same time. The owners sent internal emails informing colleagues who was in charge in their absence. For hackers who had been already monitoring their emails — and who had also taken over one client’s email — this was the moment they’d been waiting for, Stillman says.
Weeks earlier, the hackers sent a message purportedly from that client to the RIA informing it of a new phone number. In response, the firm sent the client a form to fill out confirming the new phone number. The hacker promptly did so and returned the form. The firm then updated the client’s account in its CRM with the hacker’s phone number.
That’s a deep hack, according to Stillman.
After the RIA owners left for vacation, the firm suffered wire fraud, according to Stillman. When employees of the firm called the client to verify that the request for funds was legitimate, Stillman says, the hacker answered.
“OK, confirmation. American accent. And the wire went out,” he says. “This stuff is very sophisticated.”
Edelman says some hackers move with such alacrity and uncanny timing that he suspects many are state-sponsored.
Stillman, for his part, imagines his foes as smaller fry — the digital equivalent of teenagers cruising the neighborhood to see who left their garage door open so they can steal a car.
“After I quit seeing red, I think they are just normal people. This is a job to them,” says Stillman, “I picture it as a very bright person. Lazy. This is a great way to earn income and they don’t have to work for corporations.”
Not that he’ll ever know.
“When we turn this over to people like the FBI, we never get the details back,” Stillman says.
But there is good news, experts say. Advisors and their firms can reduce their chances of being hacked, phished, spoofed and otherwise digitally fleeced via their virtual workspaces:
- Always use up-to-date versions of virtual meeting tools. Automatically update the software when prompted to do so.
- Use paid commercial versions of the apps, which come with more security —and not free ones.
- Use passwords for meetings and do not post passwords publicly, such as on social media sites. “That’s a calling card for hackers who can get in,” Yenamandra says.
- Use the “waiting room” feature where available, which enables a meeting organizer to admit participants, one-by-one, to join.
- Use two-factor identification to verify users via more than just one device.
- Do not click on Zoom invites, especially from unknown senders. Instead, paste them into your browser directly. When users are unknown, do not use them at all.
- Make sure Alexa or Nest Cam devices in home offices are up-to-date and secured. If not, they could be hacked, allowing hackers to eavesdrop not only on a virtual meeting, but an advisor’s entire workday.
- Never say anything on a virtual meeting that you wouldn’t want a stranger to overhear, Edelman says.
- Use code names when referring to specific client accounts or mention just the last four digits of any account number, in the manner that all paper account statements do, for security reasons, he adds.
- Do not share files or other sensitive data in a video conference. Although virtualized meeting services have enhanced their offerings by enabling meeting participants to chat with each other, share files and view white board notes while interacting via video, some apps may keep that data, and hackers who manage to get into a meeting may, too.
- Choose services with the best reputations for security. Experts interviewed for this story hesitated to recommend any providers, given how rapidly security standards can be breached and, in response, strengthened by companies. However, all cited the virtual meeting service Teams that is part of Microsoft’s Office 365 software package as one of the most secure at the moment. They also note that Teams’ strong security means it’s neither as easy nor intuitive to use as Zoom. That said, a columnist for Forbes recently recounted a sophisticated breach of private equity firms that exploited vulnerabilities with Office 365 that allegedly enabled hackers to make off with about $650,000.
While Stillman knows firms that have paid into the six figures for deductibles on their cyber risk policies following breaches, their insurers likely paid out larger sums, well into seven figures, he says. Despite steep losses like these, Stillman thinks all the rude change foisted upon financial services will be a good thing over the long haul.
“There is a silver lining here,” he says. “Once we get this figured out, it is going to change the way we in the industry talk to our clients period, to the convenience of our clients.”
Penny Crosman, executive editor of American Banker, contributed to this report.