In April 1998, the director of the CIA, George Tenet, said that based on the most complex systems the world has ever known, the United States was building an information infrastructure on an insecure foundation: “We have built our future upon a capability that we have not learned how to protect. We have ignored the need to build trust into our systems. Simply hoping that someday we can add the needed security before it is too late is not a strategy.”
The clear and present danger caused by this insecure foundation was emphasised in May 2012 by the head of Interpol, Khoo Boon Hui. He said, “We have seen global financial institutions suffer from major cyber attacks on their networks and servers, with US banks purportedly losing $900 million to bank robbers but $12 billion to cyber criminals last year.”
Those figures mean that for every dollar stolen by old-fashioned bank robbers in America, $117 were stolen by cyber villains.
Local evidence for this criminal shift into IT-based crime – cybercrime – is not hard to find. In a pair of cyber thefts early in 2012, two SA banking institutions were robbed of R69,3 million. In light of the continuing rise of cybercrime, it is clear that 2013 will see even more focus on the nature and scale of the problem and how security solutions can prevent the damage it is causing. So what is the cyber problem and what can be done about it?
Cybercrime: is it for real?
It strikes me that many people think cybercrime is make-believe and that the threat it poses is not actually real; that it is a virtual threat in some sort of hi-tech fantasy world. The term ‘cyber’ may be partly responsible for such attitudes because it creates a perception that this particular form of crime really only belongs in the movies. This is dangerous if it makes us underestimate cybercrime’s real-world significance.
It is almost certainly causing us to underestimate the importance of introducing secure systems that create an effective barrier to the cyber problem in all its guises.
Definitions for cybercrime can also be confusing and misleading. For example, does a cybercrime have to involve the Web? Within cybercrime itself do we all understand what is meant by zero-day exploits, drive-by downloads or malware? Can it be that we are doubly confused about cybercrime because the language it uses seems so alien?
For me, any crime that uses some form of IT system is a cybercrime. Using a desktop, laptop or mobile device as part of the crime turns it into a cybercrime. If it is digital, it is cyber. And that provides a clue to the enormous scale of the cyber problem. Because so many of our daily activities are IT-based, the spectrum of cybercrime is very broad indeed. Consequently, we are vulnerable to cybercrime in many different ways – both as individual consumers and as corporates.
Sticking our heads in the sand is also not a strategy
If it is digital, it is vulnerable. That unequivocal message just about sums up where we are at with corporate cybercrime. From electronic payments, invoicing and payroll through to financial forecasts, deal negotiations and product development, any aspect of the organisation managed digitally is vulnerable to cybercrime and needs to be protected.
Obvious and well reported cybercrimes like fraudulent EFT payments are easy to understand both in terms of how they occur and the damage done: IT access credentials get stolen and the cyber villains transfer stolen funds to their accounts.
However, the cyber theft of sensitive corporate information is perhaps not so widely understood either in terms of how it occurs or its consequences. Speaking in June 2012 at the launch of an anti-cybercrime partnership between the UK’s intelligence services and the private sector, Jonathan Davis, the head of MI5 said this about the cyber threat to corporate secrets: “One major London-listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of a hostile state cyber attack.”
Perhaps the wide-ranging and diverse nature of cybercrime contributes to even more difficulty in understanding the challenges it presents. It comes in so many different shapes and sizes, and affects so many areas of an organisation’s operation that it is hard to grasp the overall nature of the cyber threat. We hold thumbs and hope that it passes us by….
Speaking about the reluctance to face the challenges of corporate cybercrime, Preet Bharara, US attorney for the Southern District of New York and the ‘top cop’ on Wall Street, said in an October 2012 interview with the Financial Times that a bank would never think twice about reporting an armed robbery.
However, corporate attitudes towards cybercrimes are clearly quite different. In Bharara’s experience, “Companies are still waiting too long to disclose intrusions to law enforcement.” He went on to say, “The fact that you do not have senior management and its board heavily focused on something that can be a company-ending threat is an abdication of responsibility, without question.”
Bharara’s message is clear. Cybercrime should be – but is not – a board-level priority in terms of what organisations are doing to protect themselves from the immense damage it is causing. Perhaps the losses caused by cybercrime are so large that they almost become meaningless and therefore non-threatening. For example, the 2011 cyber theft of over 100 million customer records from the Sony PlayStation Network showed just how serious the damage can be when Sony acknowledged that it had allocated $171 million to deal with the hack-attack on their systems. That is over R1,5 billion…
In terms of even bigger losses, the Swiss investment bank, UBS, lost over $2,3 billion in 2011 as a result of unauthorised, unmonitored – and obviously digital – trading by a London-based employee.
Identity fraud is a major problem
Identity-based crime affects consumers on a daily basis and much of it is digitally-based and therefore cyber. All those phishing e-mails that we receive on a daily basis are primarily looking for one thing: usernames, PINs and passwords. Cyber villains target us with these mails because if they can con us into providing our online credentials, then they are going to rob our payment cards and our bank accounts.
But they also target organisations that hold our identity details, such as banks or insurance companies and medical aids. Personally Identifiable Information or PII is a valuable commodity to certain cyber villains and they steal it on an alarmingly frequent and large scale.
And it is also important to recognise that these villains are smart villains. For example, in a May 2011 cyber theft, details of over 360 000 cardholders were stolen from the American bank, Citigroup. The bank said that the stolen PII data was limited in nature and consequently insufficient to enable transactions. Customers were not at risk since Social Security numbers, birth dates, card security codes and expiry dates were not taken.
But the reinforcements were not entirely successful. It seems that card numbers, home addresses, holders’ names and e-mail details were just a starting point for the cyber villains. Just a few weeks after the theft, Citigroup disclosed that over $2,7 million (about R24 million) had already been lost to fraudulent payments.
Closer to home, it was widely reported in November 2012 that the details of hundreds of thousands of South Africans had been stolen from PayGate, a local processor of card payments for each of SA’s four big banks as well as retailers like Woolworths.
As with Citigroup’s cyber incident, PayGate said it did not keep personal data like addresses and ID-numbers, but did store e-mail details and warned customers to be wary of phishing attacks. No need to ask why….
And we are paying a high price for all of this digital crime. Consumer-based identity fraud costs South African organisations billions of rands. According to the South African Banking Risk Information Centre, payment card fraud alone cost R505 million between January and September 2012. Mike Henderson of the credit bureau Xpert Decision Systems (XDS), says that a leading local retail group is apparently losing up to R12 million a month due to identity-based fraud.
Looking beyond card-based fraud, Henderson says that at one South African vehicle finance company, 60% of credit applications have documentation problems and 30% have fraudulent identity details.
Whether it is cybercrime within a corporate environment or happening on a consumer level, all forms of cybercrime share a common denominator: identity theft. From corporate cyber thefts based on stolen access credentials through to payment card fraud based on stolen identities, most cybercrime is based on the villains using other people’s identities to perpetrate their crimes.
Accurate control of identity through fingerprint authentication is an obvious way to counter a multitude of cybercrimes. And the losses caused by inadequate cyber security should certainly provide sufficient motivation to address the problem from the roots up.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version