More than 40 million credit and debit card numbers were stolen in 2005 from TJX stores because of insecure wireless networks. A total of 250,000 computers were infected in 2005 and 2006 with information-stealing malware. And the Federal Trade Commission received more than 800,000 consumer fraud and identity theft complaints in 2007.
While modern technologies make shopping, paying bills and managing accounts easier, they — and we — aren’t infallible. We often have a false sense of security, and our electronic transactions can leave us vulnerable to cyberattacks.
“The good guys look at the Internet and say, ‘We can make people’s lives more convenient,’” said Michael Kaiser, executive director of the National Cyber Security Alliance, a nonprofit that provides knowledge and tools to prevent cybercrime. “[But] we’ve got to remember that cybercriminals take all that potential and they use it for bad things.”
Because Internet use spread so quickly, proper security features were not developed. The eBays and Amazons of the world were born overnight, and consumers were driven to spend more time online, opening themselves up to the possibility of cybercrime. Now companies, organizations, government agencies and researchers are playing catch-up, trying to retrofit security features.
“If you think about cars, it was many decades from the introduction of the car [that] we became the car culture. If you think about the Internet, it’s just been like a dozen years,” Kaiser said. “That speed of rollout and that entrepreneurial spirit have brought us unbelievably robust Internet applications, [but] I think [it] has not been done as thoughtfully [around] the kinds of risks that people face. And we haven’t spent much time teaching people about Internet safety and security.”
When cybercrime began, it was relatively innocuous and would more aptly be called cybermischief. The viruses deployed did only superficial things such as change the time on the clock, Kaiser said.
“It was about hackers trying to show they could beat the system,” he explained. “Then cybercriminals realized they could make money doing this, and that’s when we started to see spyware [and] malware. I think as long as there’s the ability to make money through cybercrime, there are going to be cybercriminals.”
Cybercrime includes identity theft, stalking, domestic violence and terrorism and involves botnets, viruses and Trojan horses.
“In the early days of the PC generation, computers could barely talk to one another. People basically worked in closed systems, and what we had was ‘sneakernet,’” said Kaiser, using the tongue-in-cheek term to describe the transfer of electronic information via removable media. “As that changed, [it] opened up opportunities for criminals. As computers talked to each other, as users talked to each other, as the Internet started to roll out and people were sharing all kinds of information, that created a lot of opportunities for crime.”
Like traditional U.S. crime, a fair amount of cybercrime occurs between people who know each other.
“It’s important that people remember they’re not only defending against the person who’s out there on the other side of the ocean, but it could be the person under the same roof,” Kaiser said. “There are a lot of cases of people who are in domestic violence relationships, where [their partners] have put spyware on their computers to track their online behaviors.”
As for outsider offenses, a frequent method of attack involves tracking keystrokes, said Virgil Gligor, co-director of CyLab and professor of electrical and computer engineering at Carnegie Mellon University. This occurs when a user visits a malicious Web site that secretly downloads keystroke-tracking software onto his or her computer. When that user logs in to his or her bank account, this tool records that information and returns it to the cybercriminal.
“This is a very potent attack that has been launched in the last two or three years,” Gligor said. “The FBI and Secret Service, with the help of banks, have been tracking and investigating such attacks.”
Gligor said he believes the adoption of a new Internet architecture is the long-term solution to the Internet’s security flaws. But it will take time to implement, he said, and in the meantime, security professionals will have to continue to patch whatever holes they find.
“The problem is that the more we look, the more we find,” Gligor said.
There is a camp that argues that the immense popularity of the Internet is due to its insecure nature and that the lack of bureaucratic features is what made it catch on like wildfire.
“To have accountability, you have to have registries of systems and users,” Gligor said. “Clearly, the spread of the Internet if such structures were imposed would have been a lot slower. On the other hand, some people consider this to be a fallacious argument because we as a community could have anticipated that, if we don’t build in security from the start, it would be very difficult to retrofit [it] afterwards.”
Is Your Identity Safe?
Once upon a time, identity thieves would search through garbage looking for discarded mail or other documents containing an individual’s personal information. Some still resort to this tactic, but an Internet connection gives many the ability to steal more information faster.
“People don’t realize when you e-mail someone a credit card number to buy something or instant message a friend [your] Social Security number, that’s essentially the same thing as going into a crowded room and shouting across what your information is,” said Todd Feinman, CEO of security and privacy technologies firm Identity Finder.
Just think about what’s on your blog, your Facebook page or your Flickr site.
“The Internet has become about biography,” Kaiser said. “It’s kind of amazing how much information is out there about people.”
A survey by Javelin Strategy & Research found that 8.4 million Americans were victims of identity theft in 2006. The average fraud amount per victim was $5,869, and the average resolution time for resolving it was 40 hours. Understandably, the impact of identity theft can be devastating.
“I’ve heard of cases where people have taken out mortgages for houses in someone else’s name,” Kaiser said. “More common [is when] people attempt to access existing resources like a bank account.
“[But] the impact of those things is long-lasting. Once your credit’s been breached and your information is out there in these criminal networks, it requires an enormous amount of vigilance to clear it.”
Unfortunately, catching and prosecuting identity thieves and cybercriminals is even more difficult. In the aforementioned TJX case from 2005, which Feinman said highlighted one of the biggest identity theft rings to date, the main perpetrators weren’t caught until mid-2008.
“Most identity thieves will never be caught unless they’re really going on a limb and ordering products online that are delivered to their home,” Feinman said. “The U.S. jurisdiction only goes so far, [and] a lot of times these people will go to countries where there are no extradition laws.
The Rise of Phishing
Fred Cate, a distinguished professor at the Indiana University School of Law and director of the Center for Applied Cybersecurity Research, said the development of phishing often is traced back to the early days of America Online (AOL), when the company charged for access by the hour. At that time, phishers would try to steal customers’ account numbers.
But today the game has changed. Between Jan. 1, 2008, and June 30, 2008, there were at least 47,324 phishing attacks, according to the Anti-Phishing Working Group’s Global Phishing Survey. Further, phishing now targets bank-account holders and customers of online payment services.
“Phishing is something old and it’s something new in that phishing is just a con game. And con games are based on building your trust, so the more the e-mail is spoofed to look like an e-mail from your bank, the more likely you are to click on those links,” Kaiser said.
Phishers also have become more sophisticated in their attacks, using current events to lure individuals to react.
“The recent global financial crisis [has] caused a lot of confusion,” said Paul Wood, senior security analyst at MessageLabs, a provider of integrated messaging and Web-security services. “The bad guys can capitalize on that confusion. Recently, there have been a number of [phony] messages from banks [involved in mergers] to encourage people to verify their identity. That kind of activity has increased sharply in recent weeks.”
Wood believes phishing flourishes partly because users are not as aware of threats as they should be. “If somebody were to knock on your door and ask to come into your house and check your electricity, you might be immediately suspicious. [You might ask] for some identification to phone [the company] they claim to be from,” Wood said.
“But when you’re online, it’s very difficult to try and think in that way or to actually do any of those things. We’re willing to give out a lot of information about ourselves when perhaps we should be a bit more cautious and guarded.”
It’s important for individuals and companies to have the core defenses — patches, anti-spyware, anti-virus and firewalls — but it doesn’t matter how secure your computer is if you make a mistake.
“In many ways, the biggest challenge is not technological; it’s behavioral,” Cate said. “For example, we’ve known that good passwords were a key part of security. Yet we have a lot of trouble getting people to use them and not write them down. You can have the most secure system in the world, but if a user unwittingly grants an outsider access through a phishing e-mail, you’re in trouble.”
But it’s difficult for users to be knowledgeable about Internet security if no one teaches them, said Kaiser. Parents need to teach their children, schools need to teach their students and workplaces need to teach their employees.
“Our goal is to make cybersecurity second nature — and that means we want to see education integrated into every phase of life,” he said. “In order to get people to be safe on the Internet, we have to teach them good habits, and we have to reinforce those habits all along the way.”
He recommends that people ask themselves three questions whenever they’re using the Internet: Who is asking me for this information? What are they asking for? And why would they need this?
But there’s only so much we can do, Gligor said.
“New technologies enable new adversarial behaviors. The security [mechanisms] developed for the adversary in the mid to late ’90s might not be sufficient for an adversary in 2009,” he said.
Ultimately, it’s a trade-off. To have the freedom that we have on the Internet, we have to give up some security.
“Can you ever have total safety? No, but you can come very close,” Kaiser said. “I’m going to go back to my car analogy. If you follow the rules of the road, if you don’t drink and drive, if you buckle your seatbelt, if you follow a few safety parameters, you can be safe most of the time. However, there will still be occasional accidents, and I think that’s probably acceptable in exchange for what you get, which is the freedom to go pretty much anywhere you want, anytime you want.”
– Lindsay Edmonds Wickman, firstname.lastname@example.org