Interviews

Cyber crime call

by Mark Rowe

Most cyber crime could be prevented by better awareness by the user, according to the Home Affairs Committee of MPs. Whilst the sophisticated threats will remain, we must do more to protect our information online, the committee has argued in a report on e-crime.

Committee chairman, the Labour MP Keith Vaz, said: “We are not winning the war on online criminal activity. We are being too complacent about these e-wars because the victims are hidden in cyberspace. The threat of a cyber attack to the UK is so serious it is marked as a higher threat than a nuclear attack.

“You can steal more on the internet than you can by robbing a bank and online criminals in 25 countries have chosen the UK as their number one target. Astonishingly, some are operating from EU countries. If we don’t have a 21st century response to this 21st century crime, we will be letting those involved in these gangs off the hook. We need to establish a state of the art espionage response centre. At the moment the law enforcement response to e-criminals is fractured and half of it is not even being put into the new National Crime Agency.

“The tragic murders of April Jones and Tia Sharp have shown the terrible consequences of access to indecent images on the web. Young people are increasingly radicalised online by the words of radical clerics such as Anwar al-Awlaki on YouTube or internet magazine Inspire. What starts on the web, ends up on the streets of Woolwich. The Prime Minister was right this week to highlight the responsibility of the Internet Service Providers, search engines and social media sites. They are far too laid back about what takes place on their watch and they need to do more to take inappropriate content down. If they do not act, the Government should legislate.”

Some witnesses to the committee queried whether the ‘war’ on e-crime was being fought and won. City of London Police Commissioner Adrian Leppard told the MPs that “we are not winning. I do not think we are winning globally, and I think this nature of crime is rising exponentially”. The City of London force has long taken a lead on fraud, but Leppard warned that a quarter of the 800 specialist internet crime officers could be axed as public spending is cut.

MPs noted that e-crime is becoming increasingly hard to define as separate from other crimes ‘because so many criminals now use online devices and generate digital evidence’. The committee said: “We are very concerned that there appears to be a ‘black hole’ where low-level e-crime is committed with impunity. Criminals who defraud victims of a small amount of money are often not reported to or investigated by law enforcement and banks simply reimburse victims. Criminals who commit a high volume of low level fraud can still make huge profits. Banks must be required to report all e-crime fraud to law enforcement and log details of where attacks come from. The perceived untouchable nature of these low-level criminal acts is exemplified by the adverts RSA noted on Facebook advertising ‘fraud as a service’.”

The committee recommended a ‘dedicated espionage response team that British companies, media, and institutions can immediately contact to report an attack’ and who can also provide training to counter cyber-attacks.

As for how much e-crime is around, the MPs pointed out that recording practises are ‘inadequate to give an accurate picture of the extent to which reported crime is committed over the internet’. The committee called for ‘an additional field on crime reporting forms’ so that police could indicate whether or not there was digital evidence relating to a crime.

MPs were also concerned that European Union countries are not doing enough to prevent cyber attacks from criminals within their countries on the UK; and MPs could not understand why the UK has refused to support funding for the new Europol CyberCrime Centre C3.

Among witnesses to the committee, Professor of Security Engineering, Cambridge University Ross Anderson spoke of documented ‘clever technical frauds that enable card data to be captured from tampered terminals, and which even enable stolen cards to be used without knowledge of the PIN. The fact that a bank’s records claim that the correct PIN was used usually proves nothing of the sort’. He said that the police are usually not much help either, especially since an ACPO decision in 2005 to get people to report fraud to their bank in the first instance rather than to the police.

Prof Anderson suggested the only really dependable fraud figures come from victim surveys, such as those conducted by the British Crime Survey and Eurostat: “These suggest that about 4 per cent of the population become fraud victims in any year and about half don’t get their money back. What’s more, the fear of online crime is real and it discourages many people from doing more things online, causing real harm to the economy.”

According to the British Retail Consortium (BRC) the central concern of BRC members relates to the case acceptance criteria for each of the national agencies who deal with e-crime and fraud: “Too often, retailers find themselves preparing detailed reports with the expectation that the relevant agency will accept the case. However, because of the opaque and diverse range of case acceptance criteria, retailers frequently find their case falls just short of the requirements for acceptance.” The committee of MPs spoke mainly to senior police officers, academics and trade bodies.

What is cyber crime? Cybercrime is defined by police as the use of any computer network for crime. The MPs’ report spoke of ‘pure’ online crimes, where a digital system is the target, whether for sabotaging IT or stealing data; existing crime such as credit card and other fraud and espionage, now done online, and ‘growth of the internet has allowed these crimes to be carried out on an industrial scale’; and drug smuggling and other crimes aided by the internet.

For the report in full – click.

Comments

Comment

Peter Clements of the counter-surveillance consultancy Templepan, says: “The suggestion that certain forms of e-crime are seen as low-level and therefore not reported or investigated is worrying, particularly due to the serious nature of the crimes involved. Banks not reporting cases of financial fraud or proper investigation being followed through on e-crime cases will only encourage cyber criminals to become more bold.

“Comment from the chairman of the committee, Labour MP Keith Vaz that the UK is the number one target for cyber gangs out of 25 counties is particularly bad news for UK business. Earlier in the year the Boardroom Bellwether survey issued by the Financial Times/ICSA found that four out of five of the UK’s largest quoted companies where not prepared for cyber attacks. Combine these findings with latest report from the UK’s fraud prevention service Cifas on insider-related fraud, which is up by 43 per cent in 2012, businesses could find themselves in a weakened position due a leak from within providing access to these criminals.

“Therefore it is vital that businesses become increasing vigilant about the threats from within, and not only to their IT security systems and data loss prevention systems (DLP). The tools of the cyber criminal are increasingly sophisticated and unfettered by time zone or region, although it is the authorities responsibility to act accordingly, business boards need to address this issue for their own protection and be thorough. Boards should not overlook the more traditional low-key technologies, such as bugs and should ensure all areas of business use are swept regularly. A leak from within via an employee may not be online, mobile bugging devices are easily obtainable, used and disposed of. At the end of the day all it takes is one leak to effectively ‘steal’ data or intellectual property.”

Matthew Fell, CBI Director for Competitive Markets, said: “Cyber attacks are a clear and present danger for businesses, posing financial and reputational risks, so this report is an important reminder to individuals and businesses to take steps to protect themselves. Proposals to force businesses to report a cyber attack as soon as it happens when they should instead be focusing on fighting the attack privately could be counterproductive and put them at greater risk.

“Mandatory reporting would also risk cyber security becoming a tick-box regulatory requirement and stifle business-to-business information-sharing.”

Dr Akif Khan, Director, Strategic Initiatives, CyberSource, said: “While it’s encouraging that The Home Affairs Select Committee is calling on the UK to do more to combat cybercrime, we need to be realistic in tackling this very serious issue. As much as we’d like to think the police will follow up on every fraudulent order, they simply cannot – especially when police numbers are being cut across the country. In times of austerity, we need to be extremely mindful of how we use precious police resources. However, merchants, both on and offline, need to continue to report all fraud they experience – no matter how minor. What may seem like low-level fraud or cybercrime could help to paint a bigger picture to the police. In the meantime, most merchants are savvy enough to know that they can’t simply rely on the police alone to stop online fraud, but instead ensure they have the right defences in place to protect their business and customers.

“The ecommerce landscape used to be straightforward, but with so many channels to cater for and manage, retailers need to make sure they put stringent measures in place so that they don’t fall short. But they need to walk a fine line: provide a consistent and safe buying experience, while ensuring that they are doing everything that they can to minimise risk of cybercrime.”

Pat Carroll, CEO of IT security company ValidSoft , argues that financial institutions should step up and use the effective security systems that can protect against this type of fraud occurring in the first place. A proactive, not reactive, approach to cybersecurity is needed. “Beyond reporting online crime and uncovering and persecuting the criminals hiding in cyberspace, surely it is now time for financial institutions to step up and utilise effective security systems that can protect against this type of fraud occurring in the first place.

“The key to this security lies in real-time detection, prevention and immediate resolution of fraudulent activity. Technology is available today to absolutely achieve this, in real-time, totally privacy sensitive, highly secure and yet intuitive from a customer standpoint. In fact, in many cases the customer is not even aware that security is being applied as many of the techniques used are completely invisible. The answer is robust customer authentication and transaction verification, relative to the bank’s perceived risk of the transaction. It must have speed (real-time), strong security, efficiency, good customer service and ease of use, while shutting down the scope for fraudsters to benefit from their crime.”

Klaus Gheri, VP of product management Europe, Barracuda Networks said: “The growing threat of Internet crime is not specific to the UK. It is the same everywhere. Law agencies are ill equipped to protect against cyber warfare. Social media sites have become a regular hunting ground for cyber-espionage attacks and an easy way for cyber criminals to launch targeted attacks against businesses.

“The government has the biggest responsibility here. It needs to pass legislation for all businesses to have a prescribed minimal amount of cyber security. There should also be an obligation for businesses to report any hacks and data loss. In the meantime, businesses need to wake up and recognise that they are at risk of an attack. It is imperative that they set dedicated budget aside to address the organisation’s cyber security.

“The right technology such as Next Generation Firewalls (NG Firewalls) and Web Application Firewalls (WAFs) are there for businesses to control what enters their network and applications. This, combined with staff awareness training should be a no-brainer for all organisations.”

James Carnie, head of solutions architecture at Adapt, said: “With security concerns high on the agenda of any customer making transactions online or giving out personal information, the protection of this data has become a key part of every UK company’s customer service offering. The report highlights something that these companies have been concerned about for some time: that customer data is potentially at risk from low level, unpenalised crimes. It’s therefore up to the UK companies themselves to act fast and combat potential threats on their own. However, MSPs can help protect UK businesses from low-level crime, with access to high quality, highly secure, controlled and accredited data centres to host their data. This helps to prevent form the opportunistic low level crime where the data is physically stolen (server, disk, etc) or electronically stolen (USB stick). Turning to a service provider that has strong security credentials can significantly reduce risk, giving the company monitoring tools and a dedicated team of experts to monitor any new threats to customer data.”

Darren Anstee, Solutions Architect Global Team Lead for Arbor Networks, said: The frequency and complexity of cyber threats continues to escalate. However, although attacks themselves have become more complex – the technical know-how required to carry them out has in some cases fallen. Readily available botnets-for-hire, malware toolkits and other services which now exist to facilitate cyber-crime have made it much easier for criminals to exploit the opportunities the Internet provides. Looking purely at Distributed Denial of Service (DDoS) attacks, one type of cyber-threat, our research indicates that attacks are growing in size – average size is up 43 per cent so far this year – and large attacks, capable of saturating the Internet connectivity of even large organisations, are becoming increasingly common. We have already tracked more than double the number of attacks over 20Gbps that we monitored in the whole of 2012.

“The Home Affairs Select Committee’s warnings should be heeded. The Internet has provided many businesses and our broader economy with significant growth opportunity – unfortunately criminals can also exploit this opportunity. Any organisation operating online in the UK is a potential target, and it was recently reported by the GCHQ that the UK faces at least 70 sophisticated cyber-attacks a month. To stay on top of this authorities in the UK must look to develop a cohesive strategy for dealing with cyber-crime.”

Arbor Networks released research on the growth in size and complexity of DDoS attacks during the first half of 2013. A slide-share with the full research can be viewed here .

And from By Lior Arbel, CTO of Performanta Limited , an information security firm: “Despite modern firewalls, and what was believed to be adequate protection, the stories of espionage and data loss are mounting. The important question of how we monitor, manage and control outgoing as well as incoming data has become all the more relevant. Whilst we welcome many of the Home Affairs Select Committee recommendations on deterring state-sponsored cyber-espionage and the protection of critical data, everyone today – employees, partners and users – must realise we are all in the data protection business and take responsibility for our actions. Businesses in particular must be proactive and deal with the threat of critical data loss right now at a technological level in order to protect themselves and their employees. With the government proposing that up to a quarter of the UK’s 800 specialist internet crime officers could be lost due to budget cuts and 78 per cent of large organisations in the UK attacked by an unauthorised outsider in the past year , every business needs to step up in the battle against cyber espionage.”

A British Bankers’ Association (BBA) spokesman said: “Banks are committed to dealing with the growing risk of cyber crime and the industry has put in place strong systems to detect and prevent cyber crimes, with good results. However, cyber threats continue to evolve and banks are continuing to work with crime agencies to help protect customers and maintain a safe and secure financial system.

“We agree with the Committee that public-private partnership is vital to address cyber crimes. Banks are already supporting Government initiatives such as the Cyber Information Sharing Partnership and the BBA has also formed a new Liaison Group with the National Cyber Crime Unit to ensure that there are effective operational arrangements between law enforcement and the industry for cyber investigations.

“The Home Affairs Select Committee has quite rightly identified the global nature of cyber threats and banks are working closely with international bodies including the United Nations, European Commission and Europol in order to promote an effective global framework. However, we share concerns with UK businesses about the effectiveness of mandatory breach reporting. It is crucial that businesses are able to choose how to direct their cyber security resources for the greatest impact when dealing with cyber crime.”

Related News

  • Interviews

    Consec 2012

    by msecadm4921

    The Association of Security Consultants (ASC) are holding their annual security conference and exhibition CONSEC, at the RAF Museum, Hendon, North London…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing