It’s Britain’s fastest-growing offence. Right now, someone could be hacking into your files to steal your identity or squander thousands on your credit card. Bad enough for a private individual, but big businesses can lose millions, along with sensitive data. And what’s worse, with their corporate reputations to protect, no one is in a hurry to tell the world about it. So how can cybercrime be tackled?
When Stephanie Pountney received an unexpected package of perfumed bathroom salts at her home one day she wasn’t overly concerned. She assumed it was a free gift from the online health and beauty ‘shop’ she often used. Pountney had found internet shopping very convenient. Until, that was, the next package turned up, followed by 25 more over the next few days.
Like hundreds of thousands of people, Pountney had switched on to online shopping. The Interactive Media in Retail Group, a UK e-commerce industry body, estimates that 14 million British shoppers spent some �1bn at e-commerce sites in November – the most ever in one month in the UK and a 95 per cent increase on 2001.
There are problems, however. The respected US research company Gartner Group predicted late last year that online retailers in the US alone would lose nearly $500m due to fraud and suspect transactions. Pountney got a taste of this as she looked online at her bank statement, and found transactions she hadn’t made. Someone had stolen her credit cards details. But how? She called the bank to put a stop on her card, but in the intervening hours the cyberprankster had been busy.
The packages were all from internet shops where she’d previously bought goods. ‘They spent �1,500 on make-up, underwear and books, and �200 on bath products. I’ve had colonic irrigation at my gym, and a DIY colonic irrigation kit turned up from a website in India. It was almost as if someone was profiling me based on the websites I’d visited. It was very scary from a psychological aspect.’
As she works in the software business, Pountney enlisted the help of colleagues who discovered the orders were coming from an insurance company in Reading. The company told her their network had been broken into by someone who was now using it as a front for his or her online activity. The culprit could be anywhere in the world. It was a ‘spoof’ attack. Internet protocol (IP) ‘spoofing’ is a method of making it look as if you are connected to the internet in one location, when you could really be anywhere on the planet. Pountney’s persecutor was most likely doing it for ‘laughs’. The trail had gone cold. Pountney had become the victim of a ‘cracker’. Hackers, by contrast, are computer enthusiasts who like to mess around with software and expose problems on the internet for benign purposes. Increasingly, some crackers work in serious, organised gangs. In the end, the bank refunded Pountney’s money and wrote to the online shops to get what information they could on the cracker. But in her efforts to get the prankster tracked down, Pountney met a wall of silence from every quarter. She went to the police with a file of technical information her company had gathered, but she has heard nothing since. ‘It’s very aggravating. This guy might have done this with hundreds of people. It’s as if you’re supposed to forget about it until it happens again.’
For most crackers, there are bigger fish to fry, namely big businesses and their IT systems. This could range from simply defacing a site – almost like grafitti – all the way up to stealing a database of credit card numbers or sensitive company information. Figures for this sort of cybercrime are rising. In September IT security firm Synstar estimated that over 1,000 UK organisations had been cracked into – almost a five-fold increase on the previous year’s 225.
Some 29m people use the internet in the UK, and the number of hackers, crackers and virus writers has risen proportionally. It’s estimated that criminal online activity is costing Britain as much as �10bn a year. MessageLabs, the IT security company, found two million messages infected in the first six months of 2002, double that of 2001. In April 2002 a PriceWaterhouseCoopers survey for the DTI found 44 per cent of UK businesses had suffered at least one malicious security breach that year; the average cost to firms was �30,000; some incidents had cost over�350,000.
Many of the biggest firms have responded by fighting fire with fire: other hackers. Nick Coleman, head of security services at IBM Europe says: ‘We have teams of people who see if they can break in, both virtually and physically. In one engagement we were in the building in five minutes and got access to sales information on their systems. It’s part of our risk assessment for clients. We assess their vulnerabilities.’
For the crackers, writing computer viruses is another method of stealing or destroying data, more commonly the latter. Computer ‘worms’ are equally damaging. A worm is a self-replicating virus that does not alter files but lives in the computer memory and duplicates itself invisibly, consuming resources and thus slowing or halting other tasks, such as keeping a website running.
Data theft is the most common cybercrime, especially the theft of data about identity since these databases are rarely as secure as financial ones. Derek Bond, a 72-year-old from Bristol spent three weeks in a cell recently after being mistaken by the FBI for one of America’s most wanted criminals. His passport number could in theory have been obtained online, or even via a database at a hotel he’d stayed at. Last year BBC journalist Paul Kenyon demonstrated how easy it is to steal IDs by copying David Blunkett’s identity. There are already websites where credit card numbers stolen from financial databases are for sale. In February information was stolen from more than 2.2m MasterCard and 3.4m Visa accounts in the US, when a company processing credit card transactions was broken into by a cracker. In 2001 there were 53,000 cases of identity theft reported to the UK Credit Industry Fraud Avoidance System, involving �1.2bn worth of cybertheft. But crackers are usually good at hiding their tracks – it’s possible that 90 per cent of cybercrime goes unnoticed by the victims.
That it’s hard to detect and rarely reported makes cybercrime the ultimate ‘silent’ crime. It presents a Catch-22 for businesses: they can report the crime, risk adverse reaction from customers and disruption to business, or stay silent, leaving police with no evidence and no argument to procure more resources for enforcement.
In January a survey of 40 IT company directors by the IT security firm Defcom found over two-thirds of organisations weren’t reporting attacks, from fairly trivial defacement of corporate websites to more serious attempts on firms’ databases. The reason? To protect their reputations. John Butters, a partner in charge of IT security at Ernst & Young, sees a lot of this hushing up in the City: ‘Companies don’t want to create the fear that they aren’t in control.’
In 1995 Vladimir Levin, a graduate of St Petersburg University, tricked Citibank’s computers into spitting out $10m. The bank failed to report the crack until Levin had stolen millions of dollars, calculating that the media coverage would cost them even more in shares and customers. He was later arrested by Interpol at Heathrow airport. In April 2001 the Home Secretary launched the National Hi-Tech Crime Unit, the UK’s first national law enforcement agency dedicated to this form of crime. It now has 46 officers in London’s Canary Wharf, and a small network of officers in the 43 regional police forces in England and Wales.
The unit divides cybercrime into two areas. ‘New crimes, new tools’ include crimes committed against computers and networks that present new opportunities to criminals, such as cracking, virus creation and ‘denial of service’ attacks. ‘Old crimes, new tools’ are traditional crimes supported by the use of the IT, such as fraud, blackmail, extortion, paedophilia and child pornography, identity theft, intellectual property crime and stalking. The unit deals with some of the biggest cases in the UK and some of the largest businesses in the world.
In June the unit commissioned NOP Research to survey leading organisations in the UK on hi-tech crime. The report confirmed what the police had known for some time – that businesses were reluctant to report online attacks to their systems because of concerns about their reputation with customers and shareholders. The study was presented at the first e-crime congress in London in December when it was revealed that among the 113 businesses surveyed, two-thirds said cybercrime was affecting their ability to function, while the same number had exper
ienced virus attacks.
At the conference, Det
ective Chief Superintendent Len Hynds described hi-tech crime as able to ‘operate instantaneously, remotely and with disregard for sovereignty and geography’. He added that, increasingly organised crime was being attracted by the possibilities.
Although almost all the companies had experienced at least one incident of serious computer-enabled crime in the previous 12 months, only half had involved the police, typically where there was a need for an insurance claim or if a successful prosecution was likely. The police were usually a second choice to having outside security consultants fix the problems, and one in 10 said they would not involve anyone outside the company at all. The National Hi-Tech Crime Unit has its critics. Patrick White, founder of Internet Integrity, an internet industry initiative designed to close the gap between legislation and technological developments, says the unit is facing in the wrong direction. He argues that the majority of businesses in the UK are small- to medium-sized, so more police resources are needed at the local and regional level, not aimed at the City or online paedophiles. A spokesperson from IT security research company m12g agrees that it’s smaller firms that offer the easiest pickings: ‘There has been a tendency for crackers, since early 2002, to choose ill-prepared, small- to medium-sized businesses, rather than well-protected government or corporate networks.’
A spokesperson for the NHTCU counters that the extent of crime online is unknown. ‘We are still growing the unit and are only targeting serious and organised crime in specific areas: virus hacking, online paedophilia, fraud and Class A drugs.’ In the US, the resources allocated to tackling cybercrime are vast, and Europe needs to catch up. The European Commission has proposed the creation of a European Network and Information Security Agency to co-ordinate national efforts with the work of business and consumer associations, and EU justice ministers have just approved new laws that could jail organised criminal crackers and virus spreaders for up to five years. In the UK the laws governing cybercrime are principally the Computer Misuse Act 1990, which covers cracking, and the Data Protection Act, which covers data identity. But back in 1990 the internet was unknown to most people, and critics argue that these acts are ill-equipped for the modern age.
Last May a bill to amend the Computer Misuse Act to protect computerised systems against a type of attack known as ‘denial of service’ was put forward by the Earl of Northesk, a Conservative peer. Denial-of-service attacks target a network’s bandwidth by flooding it with such a large volume of traffic that it crashes. Examples include trojan horse or worm programs such as the ‘I Love You’ and the ‘Klez’ viruses.
The Earl of Northesk agrees that denial-of-service attacks go unreported because businesses are fearful of revealing how vulnerable their systems are to cracking attacks. ‘The Government and the Home Office argue that the Computer Misuse Act would cover a denial-of-service attack, but I disagree, which is why I brought the Bill,’ he says.
James Fry, an associate at the IT specialist law firm Eversheds, believes the Act would cover ‘unauthorised use of IT systems if you stretched the definition’, but accepts ‘it’s a long way behind the technology’.
The Earl of Northesk’s Bill didn’t get past a first reading, but the Home Office says it is still looking at the whole issue of legislation. And not before time, according to Bill Goodwin, specialist journalist with IT industry title Computer Weekly: ‘Under the existing legislation, I can steal a PC and be prosecuted, but if I steal a database I can’t be prosecuted. Those are two big areas the Home Office is known to be actively looking at, but they haven’t reached a conclusion yet.’
In the IT industry it’s the ‘prevention’ through ‘preparedness’ rather than the ‘cure’ through prosecutions that seems to have produced the best results against cybercrime. In January a survey by Defcom revealed that over a third of companies believed the British Standard kite system (BS7799) covering best practices in information security had produced the ‘greatest impact on the reporting of cybercrime over the past 12 months’. Neal Ysart, senior manager in cybercrime services at PriceWaterhouseCoopers, agrees ‘prevention is better than cure.’
But what of those in the hacker community, who often rub shoulders with crackers? Most feel that the authorities are outnumbered. One hacker, called Phinn, says: ‘They don’t have the skills and experience to do the job effectively.’ A fellow hacker puts it more bluntly: ‘Think of it as 20 policemen trying to control a full-capacity crowd at Elland Road when Leeds are playing Man United.’
Three steps to cyber safety
1. Online financial security Always use a single credit card for online purchases, and don’t use a bank account-connected debit card. Check that you are shopping with a reputable online store. Many now carry the Government-backed TrustUK Hallmark, which denotes an approved webtrader. When purchasing online, make sure there is a small padlock symbol on the bottom of your browser, indicating you have a secure and private connection for the transaction. Remember that ‘one click’ ordering, where sites offer the ability to store your credit card details, is convenient but not essential.
2. Identity security There should be opportunities for you to opt out of handing over information to websites you might join. Check if you are allowing your email address to be sold to a third party company. Read a company’s privacy policy statement so that you know what they are going to do with your information. Don’t give out your passwords to anyone, ever. If possible, avoid publishing your main email address on websites via newsgroups or discussion boards. Consider setting up three separate emails and passwords for high security activities (banking and shopping), medium (email with friends and family) and low (chatrooms).
3. PC security Use virus protection software and a firewall software package. (Broadband internet users should use a firewall as they are potentially more vulnerable to cyber attack since the connection is always on.) Don’t open unknown email attachments, even those sent by people you know. The devastating Melissa virus spread precisely because it originated from a familiar address. Don’t run programs if you don’t know where they came from. (‘Amusing’ files and programmes could contain Trojan horse program or virus). Disable hidden filename extensions in Windows. Make regular backups of your essential files.
(First published in The Observer, Sunday April 27, 2003)