Regis Billings, an FBI agent and cybercrime expert, recently investigated a case where a transportation company lost $340,000 in one transaction.
The crime began by infiltrating the home laptop of an employee of the company. The criminal monitored his work transactions and correspondence to find a way to get behind the corporate firewall to misdirect funds.
Cybercriminals have become very good at monitoring computer networks, he said, and routing their attacks through the software systems that companies use. They could do this by jumping into a fleet’s payroll system to exploit it or by breaking into an automatic bank drafting system to misdirect funds, he says.
“They want to know your process,” he said. Money may not be all they are looking for, either. Billings has investigated cases where hackers are nation states that infiltrated the IT systems of transportation companies to learn how they operate and to steal intellectual property by monitoring their fleet management systems.
Billings took part in a panel discussion on cybercrime during the Omnitracs Outlook user conference, Feb. 26, at the Gaylord Opryland resort in Nashville, Tenn. He and other panelists stressed the need for more cybersecurity, especially around the “human elements.”
The panel agreed that drivers are the most vulnerable human element of a transportation company. Drivers interact daily with corporate IT systems through connected mobile devices and connected vehicles.
Panelist Ben Gardiner, principal security engineer for irdeto, cited research by a third party that showed many of the new electronic logging devices (ELDs) in the market lack basic cyber security. This is a concern, he said, since ELDs can be an entry point to a vehicle’s controller area network (CAN) and to fleet IT systems.
The experts at the Omnitracs conference said that fleets should at a minimum restrict their connected devices, such as tablets, to trusted websites, as cybercriminals will use links in websites to introduce malware to devices.
Malware is a code that installs on devices to read emails, capture passwords and other sensitive information.
Gardiner gave a website www.haveIbeenpwned.com that anyone can use to see if your email accounts and passwords have been compromised.
Panelists also cautioned attendees to not open attachments such as Word or PDF files from unknown email senders as these files may contain malware.
The most dangerous malware are links in websites that offer “free” porn, Gardiner said. He and other panelists also cautioned fleets to not use “free” products, which in some cases could be an ELD, since the only way products are free is that someone is using your data for its monetary value.
Some fleets may also be vulnerable by giving drivers access to Wi-Fi hotspots in their mobile, in-cab platforms. Cybercriminals can use these hotspots, if they are not locked down well, to find and exploit information on connected devices in or around the vehicle, he said.
The panelists recommended using “two-factor” authentication techniques to access corporate IT network and systems. These authentication techniques use one-time use codes for passwords. The codes can be sent using SMS text to a driver’s personal mobile phone, for example.
Mathew Carpenter, principal researcher for Grimm, an engineering and consulting company that specializes in cybersecurity, has successfully hacked into vehicle control systems by using connected systems like telematics and ELDs.
Carpenter hacks into these systems for clients as a way to test their system security. Once connected to the CAN bus a hacker could then control the engine and even disable the brakes. Once a single truck has been compromised, a cybercriminal could potentially introduce malware to all trucks on the same mobile platform, he said, using an over-the-air update.
FBI agent Regis Billings said it is conceivable that a thief could hijack a vehicle by hacking into the vehicle’s CAN bus to bring it to a stop it on the side of the road. He is unaware of any cases where that scenario has happened, however.
If a fleet is victim to a cybercrime, Billings said it is very unlikely the FBI will be able to get back lost money, especially if money has been transferred overseas. Tracking down criminals, not funds, is the agency’s main goal.
“We’re all about putting silver bracelets on you,” he said.
This article was written by Aaron Huff, senior editor at Commercial Carrier Journal, a partner publication of Hard Working Trucks.