Firms hire Richard De Vere to deploy his very unusual set of skills - breaking into their businesses to highlight security problems. Chris Burn reports.
Hacking into some of the country’s top companies, hiding in bank cupboards all night and smuggling replica devices into football grounds – it is safe to say Richard De Vere is a man with a pretty unusual CV.
The 31-year-old, who grew up on a council estate in Huddersfield and was expelled from school at 13, has gone from a career as a plumber to becoming a highly-respected cyber-security expert – appearing in a NatWest online campaign and being invited to speak at specialist conferences organised by the police.
Now running a consultancy company called The AntiSocial Engineer, his day job involves essentially imitating what are known as ‘social engineering attacks’, in which fraudsters use a variety of deception techniques to gain access to confidential or personal information that can be used to make money.
So as well as testing out well-recognised scams such as email phishing, where workers are tricked into clicking links with viruses or revealing private information, De Vere also goes a step further by physically entering company buildings to expose security weaknesses.
This is done through a variety of subterfuge methods, including impersonating people who should be allowed access to private parts of company buildings using information gleaned from hacking. But sometimes it can be as simple as hiding in a cupboard while people go home.
What it boils down to is getting into the mindset of the types of cyber criminals who conduct such attacks. “I get a feeling for the mindset of the attacker, it is essential to do my job, understanding what is going through their head,” he says. “There is a lot of research before a job. It is a bit like being in love – you stop eating, you stop thinking about other stuff.”
He says physical entry to company premises is the most under-reported access of social engineering – and the most nerve-wracking to try to reproduce, even when being paid to do so by the firm involved.
“To do this kind of stuff, you have to be quite cocksure. When I first did this kind of job I was petrified. It was an absolute nightmare but quickly the nerves went.
“The first few jobs you are so nervous. The first job, I came away thinking ‘I’m Superman’. The second job, I thought I was invincible. But by the fourth or fifth job, you realise you are nothing special and most people could do it if they put their mind to it.”
De Vere, who still lives in Huddersfield, says that when someone falls for one of the scams he has arranged, for example by clicking on a link in a phishing email, the adrenaline kicks in for him in a similar way that it does for a real cyber criminal.
“You get this feeling of elation and find yourself jumping around the house at two in the morning. The attacker knows it is going to be a success. This is part of what drives these people. If you click that link, they are over the moon. For a criminal, this would be a big payday. For me, it means my social engineering campaign was a success.”
De Vere says he has always had an interest in computers and used to copy Pokemon games to sell in the playground at school. He says becoming a dad at the age of 22 changed his mindset and helped set him on a new career path, making positive use of his extensive IT knowledge. “I decided to dedicate my life to fighting cyber crime and people up to no good.”
He went on to get a job at a company that helped firms with security measures, which led to some very interesting experiences. One of his jobs involved attempting to smuggle a replica device into a football ground.
“I got in the building hiding under players’ cars. I had to go under a Range Rover as I’m not a small guy,” he says.
After the company was bought out, in December 2014, De Vere decided to strike out on his own by setting up his own business solely focused on social engineering attacks.
“I knew cyber crime would rise and the police can’t handle it. I thought ‘I’m going to do this’. If people knew how easy it was they would be really shocked. I always find it interesting when I relay to an IT manager what could have happened if I had been a real criminal.”
De Vere says cyber crime is becoming more prevalent as it becomes easier for even children and less technically savvy for people to carry out.
“Ten years ago sending a phishing email was quite a complex thing, now literally a kid could do it,” he says. “The mindset of a determined attacker has been replaced by the 15-year-old who has got curious and a whole myriad of people who have transferred from traditional crimes. It is just more available. They have got the kind of resources that 10 to 15 years ago was in the hands of nation states.”
The nature of how major companies can be hugely affected by cyber crime was shown by the recent data breach involving the details of more than 150,000 TalkTalk customers in October 2015.
Just one week before the attack, De Vere wrote a blog highlighting concerns about problems with their cyber security levels. He says when the real cyber attack started taking place, he emailed a senior employee at TalkTalk to warn them of what was happening.
News of the attack went public hours later and TalkTalk ended up being given a record £400,000 fine by the ICO after an investigation found security failings had allowed a cyber attacker to access customer data “with ease”.
The attacker accessed the personal data of 156,959 customers, including their names, address, dates of birth, phone numbers and email addresses. In more than 15,000 cases, the attacker also had access to bank account details and sort codes.
In some senses, TalkTalk were fortunate with the timing of the data breach – from next May, tougher penalties for such failures are being introduced that would have seen the company’s fine ending up in the tens of millions.
De Vere helped inform the public about the more recent data breach which affected the AA Shop by alerting the media to what had happened. More than 100,000 email addresses were believed to have been affected by the breach in April which became public in July through news reports.
De Vere says larger companies are taking “giant steps” with their cyber security as the tougher legislative regime looms.
But with cyber criminals, corporations and the police involved in an online security arms race and growing public awareness of the threats that can be posed by the internet, this unlikely modern-day action hero from Huddersfield seems certain to have plenty more adventures ahead.