Imagine hackers commandeered a capital city’s transit system, holding it hostage for a cryptocurrency ransom. Consider the implications of this attack: beyond a data breach, it raises serious questions about the security of transportation and infrastructure in modern cities. This isn’t the latest plot from Black Mirror. This really happened last week with an attack on the website of Dublin’s tram system Luas. On January 3rd, hackers posted a message on the Luas homepage, threatening to publish the site’s private data unless they received one bitcoin in ransom. This is not the newsiest of hacks — the tram system is still fully operational, and the demand of a single bitcoin, currently around $4,000, is small for a ransom. But there are reasons to pay attention to this story — not for the impact of the hack itself, but instead, for what it tells us about the future of extortion.
Here are four risks highlighted by the Luas attack.
1. Virtual Extortion is on the Rise
From the CryptoLocker to the WannaCry attacks, hackers have taken advantage of our reliance on technology to wreak havoc and extort enormous sums. In recent years, these attacks have grown increasingly sophisticated, widespread, and difficult to contain. Rather than focusing on high-value targets, hackers earn a profit through economies of scale — extorting smaller sums from a greater number of victims.
This reflects a current trend in virtual kidnapping — a form of extortion in which the perpetrator tricks a family into paying a ransom for a loved one, who has not, in fact, been abducted. While this crime is spreading to the United States, it is already a mainstay in Latin American prisons, where former kidnappers from political and criminal groups in Mexico, Guatemala, and Colombia turn to virtual extortion from behind bars. They, too, make their money by demanding small sums across many short-term attacks. Prisoners’ prior experience in actual kidnappings confers transferable skills, as they turn to phones and deception to extort virtually.
2. Cryptocurrency is an Attractive Ransom
Cryptocurrencies are associated with criminal activity, partly because they offer some anonymity. They are an especially attractive form of ransom, though, because they avoid the otherwise necessary ransom drop. The “drop” can be a dangerous proposition for the kidnappers, as law enforcement can use physical proximity to track or capture the perpetrators. The most careful kidnappers devise a complicated set of movements and tasks to evade capture during the ransom exchange. By completely eliminating the in-person drop-off, perpetrators massively reduce the overall risk of collecting a ransom. This trend is catching on. Ransoms have been demanded in bitcoin for recent kidnappings in South Africa and Ukraine.
3. Deadlines Reveal Capabilities
Deadlines can tell us a lot about a perpetrator’s capabilities. The Luas hackers gave tram employees a deadline of five days to pay the ransom or risk a public data breach. Though we can’t know for sure, this threat suggests that the hackers may not actually have gotten access to the private data. If they had, they more likely would have posted a portion of it publicly to demonstrate the credibility of their threat, and then set a price for taking it down.
The hackers’ deadline demonstrates what social scientists call a non-credible threat: a threat that a rational person would not carry out, and therefore, one not to be believed. Deadlines in kidnapping and extortion typically demonstrate the perpetrators’ panic: the stronger and more secure he is, the longer he is willing to wait to be paid (and the higher the ransom he is likely to demand). Hostage negotiators urge those targeted to ignore urgent deadlines, but they’re also an important clue into who’s on the other end of the call.
4. Transportation is an Easy and Terrifying Target
From the spate of airline hijackings in the 1960s and 1970s to the bus bombings that characterized the Second Intifada, transportation has long been an attractive soft target. The lack of meaningful security and seemingly random victimization make public transportation an especially useful target for those terrorists who aim not to hurt specific individuals, but to indiscriminately terrorize the public. Hijackers have thus gained fame, fortune, and political concessions by commandeering vehicles by land, air, and sea.
The Luas hack may have only affected a municipal website, but it begs us to consider the enormous potential risks incurred when transportation and technology come together – risks that extend far beyond privacy and data breaches. Thanks to advances in technology, we may now need to worry about the dual threat of hacking and hijacking if driverless cars are hacked. This would create a very real hostage situation, with a victim being held or moved against her will, while the perpetrator remains at a safe distance. This is only the latest technological innovation that could revolutionize global hostage taking, as cellphones and portable internet technology transformed kidnappers’ ability to create a threatening spectacle from a safe location. Experts are at work on systems to assess liability when a driverless car is in an accident; society should also demand the utmost safeguards against an external hack.
In the meantime, Dubliners can be grateful that this attack was limited to the virtual realm.