Cyber crime 2.0

Organised crime is costing businesses an increasing amount of money, but many are reluctant to talk about it.

by World Business magazine
Last Updated: 23 Jul 2013

In 1994, Vladimir Levin, a 23-year-old system administrator at a St Petersburg software house, used his computer to steal about $10 million from the accounts of US-based Citibank customers. Fortunately, the bank had already had its suspicions aroused and had alerted the FBI and Interpol to help monitor traffic on its networks. With the assistance of the Russian authorities, they tracked the illegal fund transfers to St Petersburg, where Levin operated from his house as part of a criminal gang. He had managed to access the 'Cash Manager' service, which lets Citibank customers move their funds to other banks.

Nothing happened immediately, but in 1995, Levin was lured to the West, and Interpol agents arrested him in London as he stepped from a Moscow flight. He spent the next two years attempting to fight extradition from Britain, but was finally shipped to the US and sentenced to three years in prison. He was ordered to pay Citibank his share of the theft - $240,015 - and the bank was able to recover all but $400,000 of the money.

The event could have been disastrous to Citibank's business, but it responded with an expensive investment in new security systems and sophisticated data encryption to ensure nothing like it happened again.

The Citibank case is generally regarded as the first electronic bank robbery - or at least the first publicised one. At the time, most hackers were still young kids showing off to each other with their latest virus that would play tricks on your computer screen, or wipe the data off your hard disk. But the internet and IT have moved on since then. The clever youths are still there - and still causing a nuisance - but there is now a new breed of criminals operating on the internet, motivated solely by money rather than clever tricks.

Last year, the FBI tried to quantify the cost of computer crime to the US economy and estimated it to be $62 billion. Many people see that as a very conservative estimate. Back in 1994, there were very few Levins to contend with; now organised crime sees the internet as a powerful and bloodless tool for stealing money, credit card details, intellectual property and personal identities.

This should be no surprise. Business has rightly embraced the internet as a fabulous business tool for cutting costs and opening up new markets.

Few of us could function any more without websites and email, not to mention all those other emerging technologies - wireless networks, VoIP calls (telephone calls via the internet), instant messaging - that make our lives easier and oil the wheels of commerce.

But these technologies are all under threat from a whole range of attacks, from debilitating computer viruses to the loss of private customer details.

So, ideally, we should be doing all we can to protect those systems from the growing threat. Unfortunately, if the rest of the industry learned any lessons from the Citibank incident, it was not the value of strong security, but the need to keep quiet about any breach.

In 2005, the Computer Crime and Security Survey was carried out by the FBI and the US-based Computer Security Institute. Respondents were asked why they would not report an incident to the police. "Damage to stock or image" was cited by 43% as their main fear, with 33% citing "fear of the competition taking advantage".

The survey is conducted annually among 700 companies in the US - a small minority that is even willing to discuss the subject. It means that for the past decade, security breaches have generally gone unpunished, with the culprits allowed to walk free in exchange for silence.

"There is still an ingrained mistrust of going to the police," says Richard Starnes, president of the UK chapter of the Information Security Systems Association, a professional body based in the US. "Companies have to realise they will take a PR hit - that's business - but in the longer term, there will not be any change until the criminals start feeling there is a better chance of them being caught. In the past, they have known they have a limited chance of being detected, a limited chance of being caught, or being successfully prosecuted. And if they do get prosecuted and convicted, they know they'll get a relatively light sentence."

But a couple of things have happened recently that make it harder to hide the crime under the carpet. In the first instance, a seemingly parochial piece of Californian legislation, called SB 1386, which came into force in 2003, produced some surprising results. It was designed to protect the interests of Californian consumers by ensuring that if any company holding their details suffered a security breach, they had an obligation to inform the individuals affected.

Since most US companies had some Californian clients, it meant that any loss of personal data would probably be affected by the law. And so SB 1386 has turned out to be extremely effective in uncovering all manner of technical slip-ups, so much so that several other states have followed suit and a federal law on the same lines is now widely expected.

Its effect has been dramatic. Ever since it came into effect, more than 100 companies have been exposed for losing or misplacing the personal details of their customers. The Privacy Rights Clearing House, a lobby group in the US, lists 130 security breaches in the past year, and says that the personal details of more than 52 million people have been affected (see www.privacyrights.org/ar/ChronDataBreaches.htm).

The public ignominy has driven some of the organisations affected close to destruction. CardSystems, for example, which exposed personal details of 40 million credit card holders, lost some of its biggest customers and was finally acquired by another company. For all of them, however, the law has forced them to do what they should have done in the first place, and introduce proper safeguards to protect their data.

The other great driver for better security is the sudden introduction over the past two years of stringent corporate governance legislation in the US, Europe and Asia. The best known of these is the Sarbanes-Oxley Act, introduced in the US in the wake of the Worldcom and Enron scandals, which imposes high levels of control on business and places responsibility for any wrongdoing at the feet of the most senior officers of a company.

A small but important part of the legislation stipulates that all financial and personal data should be properly managed and protected. The chief executive has to sign off a declaration that this is indeed the case

So, if a hacker breaks into your systems, or a virus wipes out your financial records, the chief executive can no longer point the finger of guilt at his technical staff. The buck stops at the top. The effect of Sarbanes-Oxley and a whole raft of other similar legislation, both in the US and the rest of the world, has been seismic. Companies have poured huge sums into compliance programmes in order to achieve a clean bill of health and meet auditor requirements.

But some people question how effective these efforts have really been.

In a report published at the end of 2005, the management consultancy Ernst & Young (E&Y) concluded: "Information security - a critical part of an organisation's ability to manage risk - is not doing nearly enough to keep up with changes. The gap continues to widen between the growing risks and what information security is actually doing to address them."

The findings were based on research at more than 1,300 organisations in 55 countries, and it makes depressing reading, especially in respect of the fortunes spent on compliance. It notes a basic paradox: "The sheer number of regulations and the consequences of not complying with them have brought information security into the boardroom. Yet many organisations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business."

Many organisations, it found, were more interested in achieving compliance than really making changes to improve processes at a fundamental level.

In other words, they were abiding by the letter of the law, but not the spirit, and in so doing they were missing an opportunity. As the E&Y report notes, the security threat is growing, especially as organisations adopt emerging technologies such as VoIP and mobile communications. All these technologies offer companies opportunities for profit, and yet very little thought is given to the threats they may pose. For instance, only about half of the survey's respondents gave their employees any security training or advice to help minimise the risk.

But if the auditors cannot convince companies to take security seriously, then maybe the prospect of losing customers will. Several studies have shown a growing suspicion of online shopping among consumers because of concerns over security. Last Christmas, the Business Software Alliance found that one-in-four US consumers said they would not shop online because of internet security concerns.

In July last year, a survey by the Gartner Group of 5,000 people found that three-quarters were wary of using online banking services or buying on the internet because of phishing attacks (see glossary) and wider concerns over identity theft.

The US-based Ponemon Institute, which tracks levels of trust among bank customers, found that 34% of respondents would switch banks if they discovered security had been breached just once, and 45% would leave after two incidents.

And a worrying 68% would transfer their account to another bank if they did not have confidence in the bank's ability to secure their personal information. The institute also reports that more than 60% of respondents fear they will be a victim of identity theft.

The stakes are high. "If consumers don't trust that things will be safe when they interact with the internet, then the business models we are all driving towards will fail to be effective. If the consumer's confidence is threatened, then the business model is threatened," says Lindsey Armstrong, a senior vice-president with Symantec, a major provider of security products and services. "What's more, if these business models fail, no-one can afford to go back to the brick-and-mortar models."

She emphasises, though, that information security should not be seen in isolation. "People are looking for more than just security, it is part of the whole picture of information risk, which includes business continuity and disaster recovery."

This is true. Many of the security breaches revealed in the US last year involve some very low-level mistakes - a data tape lost by a van driver, or a laptop computer left in an airport. Security awareness has to start from the ground up with a corporate culture that recognises the value of information and the need to protect it. The danger to reputation, brand and business is too high to take the risk.

THE THREATS

Figures published by Symantec, a major producer of security software, for the first six months of 2005 revealed a changing landscape where the attacks were becoming more difficult to detect, and were increasingly the work of organised crime. On just about every measure, the level of threats has continued to grow sharply; the company registered nearly 11,000 new viruses targeting Windows-based PCs in the period, a rise of 142% over 2004.

Phishing attacks almost doubled in six months, climbing to 5.7 million email messages a day. Another huge danger comes from the vast and growing number of broadband users around the world. The point about broadband is that it creates an 'always-on' connection to the internet, and makes the individual PC a sitting target.

Experts say that an unprotected PC has a 50% chance of being infected within 12 minutes of connecting via a broadband connection. And once infected that PC can then be controlled remotely by the sender of the malicious code. The machine has become a robot - or bot in the parlance - that can be secretly manipulated by the attacker.

The attackers assemble vast armies of such compromised machines, which they can then use either to send out spam, or to overwhelm a website they want to put out of action. The groups of machines are called bot networks, and their owners hire them out by the hour to anyone who wants to send a mass-mailing, or attack a website.

The assaults on websites, known as denial-of-service attacks, are often used as part of an extortion campaign. Some of the first were directed at gambling websites, where they would swamp the victim with internet traffic. The attack was then followed by a demand for money in exchange for peace and quiet.

Symantec found that 10,352 bot networks were in existence on any day during the first half of 2005 - up from less than 5,000 in December 2004.

THREE NOTORIOUS CASES

CHOICEPOINT

Atlanta-based information broker ChoicePoint held personal details on virtually every American citizen, but early last year it was tricked by a criminal gang into disclosing the details of around 163,000 individuals. Under the provisions of SB 1386, it had to inform any Californians affected, and so the breach became public knowledge.

As a result, ChoicePoint was fined $15 million by the Federal Trade Commission in January this year, and as part of the settlement it must implement procedures to ensure that it provides consumer reports only to legitimate organisations, to maintain an information-security programme and to be audited biennially by an independent, third-party security professional until 2026.

CARDSYSTEMS

In May last year, credit-card payment-processing company CardSystems admitted that someone had broken into its network and had stolen the contents of up to 40 million payments cards, including names, account numbers and expiry dates.

Under investigation, it was revealed that CardSystems had failed to encrypt credit-card transaction data, and retained card verification numbers that were never supposed to be stored. The company lost contracts with Visa and American Express, and was eventually acquired by another company.

SUMITOMO MITSUI BANK

In March last year, police in London foiled an attempt by an Israeli hacker to steal $423m from the Japanese bank Sumitomo Mitsui. According to insiders at the National Hi-Tech Crime Unit (NHTCU), the planning had taken place over several months. Intruders had managed to install small bugging devices, called keyloggers, on some of the systems at Sumitomo's offices in London.

The keyloggers, which connect to the keyboard cable of the PC and are easy to conceal, were able to record password and access information as the legitimate users of the systems went about their daily tasks. Sources say the intended crime was discovered only by chance by an operator who noticed unusual traffic on the Sumitomo network. The bank called in NHTCU under strict confidentiality. If the crime had been successful, it would have been one of the biggest bank robberies ever.

The foiled crime was made public as part of NHTCU's deal with Sumitomo.

ONLINE FRAUD

There is no shortage of anecdotal material to show that criminals are trading personal credit card information over the internet. This was confirmed recently by an investigation carried out by Symantec into online fraud communities. The company located a number of high-activity communication channels being used as a virtual marketplace for trading various information, including:

- Western Union accounts

- Credit card numbers - typically CVV2 numbers (the verification numbers on the reverse of the card) are also required for this to be considered of any value

- Paypal accounts

- Skype accounts

- Online banking accounts

- Counterfeit currency

- STEAM accounts - steam is an online gaming service provided by Valve Software

- E-gold accounts

- Epassporte accounts

- Root or administrative access to servers - compromised servers are commonly used to host phishing websites. Often referred to as 'roots' by participants in these chatrooms and forums

- Email address lists

- Fedex online accounts

- eBay accounts

- Unsecured email relays - often manifested as php scripts, used to facilitate spam and distribution of phishing emails

GLOSSARY

Bot (or zombie): A computer that has been infected with a Trojan (see below) without the knowledge of the user and which can be controlled remotely by criminals, usually to mount denial-of-service attacks or to send out spam.

Bot network: A collection of zombie PCs that can be managed centrally by criminals to send out spam or mount denial-of-service attacks.

Distributed denial of service (DDOS): An attempt to swamp a website with so much traffic that it breaks down.

Phishing: This involves sending out email messages that ask the recipient to confirm bank account details for some reason. If the person sends the details, they will be routed to the criminal gang running the scam. The details can then be sold on to anyone.

Spam, Spim and Spit: Most people are acquainted with spam. Expect to see the same unwanted traffic coming into Instant Messaging systems, such as MSN and Yahoo (Spim), and even over internet-based telephones (Spit) as VoIP takes off.

Spyware: Any software that covertly gathers user-information through the user's internet connection, usually for advertising purposes. Spyware is often secretly installed when a user chooses to download a free game or program from a website.

Trojan: A program that runs unseen on a user's PC and allows someone else to control it remotely. In practice, affected machines can be hijacked by the sender of the Trojan, and used for sending out spam or for mounting denial-of-service attacks.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Subscribe

Get your essential reading delivered. Subscribe to Management Today