CCC-Watch

THE SCOPE OF ONLINE CRIME

I have chosen online theft as my topic. It is a growing, multifaceted problem that touches each of us if only indirectly.

The impetus for this EOTO article came from two articles by Jon Swartz from USA Today (that I read in airport terminals!). You can access his 10/21 (“Crooks slither into Net’s shady nooks and crannies”) and 10/24 (“Home PCs are not as protected as owners think”) articles by searching the USA Today Web site.

SCOPE: MONEY

One’s own money is at risk by people who break into our mail boxes and intercept our Internet communication. Moreover, even if one uses the latest encryption software, the costs of losses may be seen in higher prices for all items. It is just like shoplifting. Everyone pays for it.

According to Swartz, consumers and businesses, such as credit card providers, lost $14 billion to online crime. That was 10 billion for spam, two billion in losses for online merchants and another two billion from individuals who were victims of scams. Loss of confidence and future revenue are harder to gauge.

SCOPE: TREND

One can see that the scope is very large and increasing, according to Ferris Research. Online fraud is surging according to the National Fraud Information Center. Swartz cites FBI statistics and examples to demonstrate the increase in online extortion. What is more disturbing is one trend that has not changed; namely, victims of online crime are unwilling to discuss it. Individuals may be too embarrassed. Large corporations may not want to advertise that their systems were compromised.

On a positive note, legislation and penalties are growing in volume and severity. For example, on October 7, 2004, the U.S. House of Congress passed a law against spyware. International cooperation (e.g., an extradition treaty) is also needed as criminals set up shop in the countries with least legislation.

SCOPE: POTENTIAL ISSUES

Could a cyber-attack close a bank? Could one damage national security? Amit Yoran quit his post as the American national cyber-security chief because these questions were not being dealt with. This follows the departures of Richard Clarke, Rand Beers, and Howard Schmidt. I guess it is not an easy job. In any case, the U.S. is not getting the leadership it deserves.

What is not speculation is that the potential harm is as great as our reliance on computers.

HELPFUL MEASURES

I do not think that this problem will increase unchecked forever. There are solutions to the existing and potential problems that involve forethought and cooperation. In fact, aside from technical aspects, most of the crimes and threats exploit the absence of security measures and cooperation.

No technical solution made by people can avoid defeat by people. There are many possible measures that can contribute in a positive way. I hesitate to use the word ‘solution’ but feel the combination of all the following measures would lead to safer surfing. These four measures seem like common sense to me.

Measure 1: INCREASED AWARENESS

The first solution seems the most effective but may also be the most unrealistic. I immediately think about the difference between the terms ‘safe sex’ and ‘safer sex’. Replace ‘sex’ with ‘Internet use’ and one immediately gets a realistic picture of the limitations of online security. Specifically, one can never be 100% safe from online theft. All one can do is mitigate the risks. Since people sometimes do not take care of their health, with potentially fatal consequences, it is too much to ask them to take care of their online activities. People want plug-and-play PCs and care-free surfing.

So, it is helpful to explain the risks involved. Any talk of security protocols, firewall software or Internet security benchmarks is premature before one realizes the potential risks. People can lose a lot of money and their good name.

Above all, everyone has to realize that the Internet is a public space. The privacy and security of one’s home does not necessarily extend to the Internet. Clearly, it is not in the interest of the PC makers and sellers to emphasize this. Some public bodies should raise awareness and fill the common sense gap. The following three resources are all free!

Resource #1: http://www.cisecurity.com/ is an international, member-sponsored organization. You can read its charter HERE.

Resource #2: I think that the National Cyber Security Alliance raises awareness, but just for those who hear about it. It takes a lot of money and marketing skill to get their message out.

Resource #3: http://www.sans.org/top20/ has information about computer vulnerabilities that criminals can exploit to reach your sensitive information.

Measure 2: REGULATE/LEGISLATE WEB ACCESS POINTS

One cannot rent a car without a driver’s license. One cannot buy a cellular phone without identification. Getting online is not regulated at most Internet cafés. Criminals can go from café to café, or network ‘hotspots’, committing fraud and theft. An IP number trace would provide no useful information.

On the other hand, this measure must be balanced with the idea of increased access to the Internet. An effective measure should not be a barrier to access. Telephone and mail fraud were around for many years before specific laws came into effect to combat them. Al Capone was brought down by stiff laws against mail fraud (and Robert Stack). A Net-savvy criminal needs to face similar laws and penalties.

Resource #4: http://www.mit.gov.in/it-bill.asp. In India, for example, the IT Act of 2000 specifies that identification must be provided at public Web access points. You can download the PDF file of that law HERE.

Resource #5: Read an interesting article about exploiting network ‘hotspots’ HERE. Again, the author is Jon Swartz.

Measure 3: BETTER SECURITY TECHNOLOGY

Anything made by people can be defeated by people. I still think that if ‘next-generation’ technology lives up to its name, the public will benefit. One of the smartest things for international security is to hire cyber-criminals. If the penalties are stiff, the criminals would be suitable motivated to cooperate.

Any improvements in technology will be defeated in time. This measure deserves attention because it provides another hurdle for criminals to overcome. There are no guarantees, but more is better.

Resource #6: HERE is one company that sells computer security information and security services. There are several private firms that do the same business and the field is growing.

Resources #7 & 8: “Cyber Crime” by Laura E. Quarantiello is one of many, similar hard-copy resources. It was
interesting to learn the new vocabulary words written on her site, but the best resource
I found was http://www.antionline.com/.

Resource #9: I have read, and can recommend, online articles by Symantec. I am their customer.

Measure 4: BUNDLED FIREWALLS WITH ALL NEW PCs

This is probably the simplest, most cost-effective measure. Any country can stipulate that firewall software be bundled with new computer sales. This does not mean that used computer sales would have it, but new PC sellers would not want to risk any big fines. With an economy of great scale, the price of firewalls would come down. The awareness of firewalls and their use would go up.

Resource #10: http://www.interhack.net/pubs/fwfaq/ has an in-depth explanation of firewall technology.

Resource #11: I found a simpler, common-sense site at http://www.firewallguide.com/.