SPEAKING FREELY How to not get hacked in
Chinese surgery
By Richard Gould
Speaking Freely is an Asia Times Online feature that allows guest writers to have
their say.
Please click hereif you are interested in contributing.
The modern business environment is a Hobbesian affair, and for companies that
do not keep ahead of security threats, life can be nasty and brutish.
Multinationals deploy a range of tools and tactics to protect their interests,
with varying levels of data and network security, anti-corruption mechanisms,
physical security, anti-counterfeiting technology, anti-theft devices,
electronic tracking systems, access control systems, and more.
But even the most well-designed corporate security schemes
occasionally fail. Just as companies' research and development departments try
to stay on the cutting-edge of technical progress, criminals are perpetually
developing ways to take advantage of security lapses. Their gain is a company's
loss, and a diverse range of industries can become targets for fraudulent
activity that is very difficult to reasonably anticipate.
Some years ago, a company called Xstek [1], which makes an an advanced surgical
machine used for a certain elective procedure, faced a curious problem in
mainland China - strong demand for the company's product but missed profit
projections.
The number of people seeking out such surgery has increased in China as the
middle-class has expanded and, with this procedure quite popular, Xstek had
sold an impressive amount of machines to reputable hospitals across the
country. One hospital staffer said his hospital was conducting 40-50 such
surgeries per week.
Xstek is supposed to receive revenue from each surgery conducted and ensures
revenue collection by means of a security feature built into its product. Each
Xstek machine requires a pass-card in order to operate; a counter in the
machine records each procedure and counts backward from 100 to 0. When the
machine hits zero, it is time to buy a new card from Xstek - surgery cannot be
conducted without a new card to reset the counter.
Xstek suspected that the pass-cards were being tampered with and that perhaps
someone had figured out a way to copy the coded information contained therein.
After an exhaustive investigation, it was learned that the machines themselves
were being altered, not the pass-cards. Someone had figured out a way to hack
the machines so that whenever the procedural count reached zero, the machines
automatically reset to 100. This hack allows the machines to reset indefinitely
so that an end-user never has to purchase a new pass-card from Xstek.
Initially, Xstek and its hired investigating company assumed that doctors or
hospitals must have paid a few local hackers to figure out how to modify the
machines to avoid paying Xstek. But upon further investigation, it emerged that
the culprit was not the end-user or some hired hand, but was an engineer from
Xstek's distributor, Hao-Byu, in Greater China. The engineer did not need to
work to figure out how to hack the machine - he was already trained to know
everything about it.
The engineer, Liu Zhao, was in charge of the after-sales service for Hao-Byu in
several Chinese cities. His clients included at least seven to eight hospitals,
possibly more.
The investigator met with Liu under a suitable pretext, and Liu explained that
for 50,000 yuan (US$7,200) he could assist potential buyers of Xstek machines
by performing his hack and circumventing the company's security features, thus
lowering the hospitals' overhead on each surgery performed. Liu could also
provide the machines legitimately through an agent instead of directly from
Hao-Byu (even though he worked for Hao-Byu), allowing him to service the
machines himself but avoid detection. The machines could then be sold to
hospitals with the hack already in place.
Xstek was facing a major problem. Not only was their security feature
compromised, but the hacker responsible was employed by their business partner.
Were other employees using Liu's hacking trick? Was his method available on the
open market? Furthermore, what about the loophole in Xstek's distribution
channel that allowed agents to freely sell machines without oversight? Clearly,
the investigation uncovered a vast security hole that would require extensive
retroactive measures to repair.
Certainly, Xstek was smart to initiate comprehensive investigations once it
suspected foul play. This particular case is the sort of security scenario that
is difficult to imagine, especially for a player that is relatively new to a
developing market. Still, there are a number of lessons to be learned by
studying this case.
Due diligence is critical
Proper due diligence allows companies to minimize risk and increase oversight
before problems arise. At some point, Xstek entered into an agreement with
Hao-Byu to distribute machines throughout Greater China. Had Xstek realized
that Hao-Byu allows third-party agents to sell products with very little
oversight, it might have recognized that risk and created contractual
mechanisms to prohibit such sales. Xstek would have benefited from vetting its
distributor and investigating Hao-Byu's existing business relationships to
learn more about Hao-Byu's normal business practices.
In addition, Xstek should have made sure that Hao-Byu had a proper background
investigation program in place. After all, Hao-Byu was responsible for hiring
the criminal Liu Zhao. Full knowledge about the operations of business partners
will help ensure that there are no nasty surprises down the road.
Even though Hao-Byu hired Liu Zhao (not Xstek), Hao-Byu ended up losing a
presumably valued business relationship because of its failure to pre-empt this
problem with appropriate background checks. If an employee has access to
sensitive information, it is imperative to be sure he/she is trustworthy. Find
out if new employees have criminal records. Conduct media searches. Contact
former colleagues and past employers.
Make no assumptions
Xstek placed a major emphasis on technology and assumed that the security
features built into its machines were foolproof. Xstek subsequently put its
distributor in charge of after-sales services and failed to consider the
possibility that a Hao-Byu engineer would have the capacity or motivation to
circumvent their security feature.
Never assume that any business or industry is completely safe. A historical
lack of any major security failures in a company or industry is not a
prediction of future security. In addition, operating in developing or
unfamiliar markets requires additional planning and caution. Legal and ethical
norms differ in every market; importing practices from developed economies may
not be an adequate safeguard in the developing world.
Ultimately, the key to designing a successful corporate security program in a
new market is to rely on competent human intelligence. In China, it is
absolutely critical to fully vet potential suppliers, distributors, employees,
support companies and partners. Take nothing for granted. It is best to
remember that the most robust corporate security programs are built not just
around adequate tools and technology, but on reliable business intelligence
professionals who can help navigate unfamiliar environments and effectively
mitigate risk.
Note: [1] All names - Xstek, Hao-Byu, and Liu Zhao - have been changed
from the original.
Richard Gould, is assistant manager at CBI Consulting Ltd, an
investigative agency based in in Shanghai, Guangzhou, and Taipei and engaged in
a wide range of business investigations, competitive intelligence, and brand
protection services. He can be contacted at: gould@cbiconsulting.com.cn
Speaking Freely is an Asia Times Online feature that allows guest writers to have
their say.
Please click hereif you are interested in contributing.
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
