Video Monitoring Services: A Cautionary Tale
Phishing and other cyber attacks leave victims feeling helpless, angry, and violated. But there are few attacks worse than one that exposes the victim physically. In today’s story, we will see what can happen when a video monitoring company is faced with an insider threat.
An ADT employee took advantage of his position to spy on customers in their homes. He added his own email address as a user on their accounts in order to access their security cameras at any time. It was through his trusted position as a tech that he was able to gain access. He targeted victims he found attractive and spied on their intimate moments. Over 200 accounts were affected and cameras were accessed close to 10,000 times without permission. The tech was only caught when a customer noticed an unknown email address as a user on their account. He was fired and prosecuted, but for the victims, the damage was done.
ADT took action to terminate the tech and cooperated with law enforcement once the situation came to light, but this should have never happened. Considering the level of trust and access customers give ADT (or any security monitoring company), there are technical controls ADT could have implemented to keep their customers safe. Let’s look at what ADT could have done better.
First, accounts should be configured so that the account holder is automatically notified when a new user is added to the account or when contact information is updated. The customer would be immediately aware that something was amiss. This is fairly standard in the financial industry (think payment thresholds or new logins for credit cards and bank accounts).
Next, ADT should be auditing their own data to detect if the same email is used across more than a couple of accounts. The tech’s email address would have been flagged after it was used several times, and a disaster of this magnitude would have been avoided.
Finally, ADT should be monitoring IP addresses accessing data feeds. With this protective measure in place, if a new IP address is suddenly viewing a live feed, the customer can be made aware of it. It may be that the customer is traveling and checking on their home via hotel WiFi. On the other hand, it could be someone who has accessed the video feed without authorization. Regardless, it’s best to notify the customer and empower them to act upon or dismiss the notification.
Security monitoring systems are meant to enhance our security, not jeopardize it. It’s our responsibility as consumers to make an informed decision when choosing a product, especially something as sensitive as in-home cameras and monitoring. Dive in and ask questions about the company’s security protocols. If you are considering ADT, you can see what they are doing to prevent something like this from happening again. If you are considering another company, find out what procedures they have in place to avoid a similar threat.
And, as always, be a cyber-aware consumer: Regularly check your accounts for anything suspicious, use strong passwords, and enable multi-factor authentication where available.