Internet Interest Group: Cybercrime

November 1, 2001

Before considering the messages from the speakers, first, a few statistics from the CBI, published in August 2001:

  • Two thirds of UK businesses have suffered some kind of cybercrime
  • £500 million was lost last year in fraud losses in Europe
  • 43% of ordinary people feel cybercrime is a problem.

A Criminal Charter

So why is it so tempting, and so easy?

  • The size of the market is enormous – online shopping gross profits are predicted to be £103 billion by 2006.
  • It’s cheap to be a cybercriminal! You do not need expensive cars, apartments, or good clothes. A computer and a phone line (and some cybercrime skills) are enough.
  • You can do it from anywhere – you can be in one country and the fraud which you are perpetrating can be targeted on another. This makes it easier to be undetected and (as a last resort, even if accused) harder for the authorities to convict you.
  • It is easy to conceal your identity on the Internet. For example, most viruses come from false names and e-mail addresses.
  • It is easy to manipulate the perception of others – convince them that they are accessing a genuine site or that the information being given them is correct (the modern equivalent of ‘It must be true – I read it in the paper, didn’t you?’).
  • It is surprisingly easy to get information out of an organisation (eg credit card information of a company’s customers). This has really become quite common.

Here are some of the different types of cybercrime

  • Misuse of stolen credit cards. There are thought to be £4 billion losses on credit card fraud. Of credit card transactions, 2% are online, but 50% of the losses come from the online transactions. The FBI estimates that 1 million credit card numbers have been stolen from e-commerce sites. Often, the company concerned is too embarrassed to tell the customers promptly, and pressures are only now being brought on companies to disclose the loss of data promptly before further damage is done. Often the fraudulent transactions are just a few dollars – likely not to be noticed by many users, since the credit card statement is likely to come several weeks after the loss occurred and when it is easy to forget a small purchase. If there is an argument with the credit card company and you make a big fuss about this, your own credit rating can suffer.
  • Stealing information. This is often carried out by a disaffected employee, who takes away confidential information on a floppy disk, or e-mails it to someone outside.
  • Cyberlaundering. Money laundering is an enormous subject in its own right but the contribution made by online accounts and credit transfers is increasing all the time. Transfers online have the great advantage of not involving personal cheques or contacts of any kind and a computer is much less likely to be suspicious than a human being.
  • Blackmail carried out via the Internet, and also ‘whitemail’ – such as making money before the New York attack.
  • Hate sites and racist sites, combined with e-mail to the targets.
  • Denial of Service. The target is deluged with thousands of Web requests. Similarly, mail bombing.
  • Defacing a Web site. Many supposedly well secured Web sites have been defaced, including the Pentagon’s and the Labour Party’s.
  • Hijacking. By changing a url on a target site, a hacker can take people to a different (false) Web site, not the one they think they are visiting. It can take a while for the target to discover this and money can be transferred to a false account.

Stephen Philippsohn is an expert on the recovery of losses and he talked further about developments in third-party disclosure and how disclosure orders can help trace lost money. He talked also about the liabilities of accessories, including lawyers, accountants and ISPs, and whether exclusion clauses can avoid liability.

Reasons why fighting cybercrime is difficult

Defining the crime is a problem, let alone creating the legislation to address it! By the time you are dealing with Internet crime, working across several jurisdictions, the problems are horrendous. Even across Europe (only one geographic part of the problem), there is a lack of legislation to cover the problems which are in fact arising. (There is a EU cybercrime treaty under discussion).

There is also a lack of international empirical data. Victims are often very unwilling to come forward since their own commercial credibility is threatened with customers, shareholders and lenders. Getting the evidence from different countries, different computer systems and different Web sites is also a nightmare.

Malicious employees are a recurring theme as well as external ‘hackers’. Many companies have few if any formal security policies, and employees – even ones in sensitive posts – are often not vetted. Moreover, many organisations’ computers have lax access controls and security procedures which are out of date and inadequate. Who is responsible for IT security in an organisation? It is often not clear.