Hui's JOMC221 Journal

THE SCOPE OF ONLINE CRIME

I have chosen online theft as my topic. It is a growing, multifaceted problem that touches each of us, if only indirectly.

Two articles by USA Today columnist Jon Swartz provided the impetus for this article. You can access his 10/21 (“Crooks slither into Net’s shady nooks and crannies”) and 10/24 (“Home PCs are not as protected as owners think”) articles by searching the USA Today Web site. The scope of this topic is addressed in terms of money, trends and potential issues. Some possible solutions follow.

1. SCOPE: MONEY
One’s own money is at risk by people who break into our mail boxes and intercept our Internet communication. Moreover, even if one uses the latest encryption software, the costs of losses may result in higher prices for all items. It is just like shoplifting. Everyone pays for it, though only a few are responsible for the malicious behavior.

According to Swartz, consumers and businesses, such as credit card providers, lost $14 billion to online crime: ten billion for spam, two billion in losses for online merchants, and two billion from individual victims of scams. Losses of consumer confidence and future revenue are harder to gauge.

2. SCOPE: TREND
One can see that the scope is very large and increasing, according to Ferris Research. Online fraud is surging according to the National Fraud Information Center. Swartz cites FBI statistics and examples to demonstrate the increase in online extortion. What is more disturbing is one trend that has not changed; namely, victims of online crime are unwilling to discuss it. Individuals may be too embarrassed; large corporations may be hesitant to advertise their systems’ vulnerability.

On a positive note, legislation and penalties are growing in volume and severity. For example, on October 7, 2004, the U.S. House of Representatives passed a law against spyware. International cooperation (e.g., an extradition treaty) is also needed as criminals set up shop in the countries with the least legislation.

3. SCOPE: POTENTIAL ISSUES
Could a cyber-attack close a bank? Could one damage national security? Amit Yoran quit his post as the American national cyber-security chief because these questions were not being dealt with. This follows the departures of Richard Clarke, Rand Beers, and Howard Schmidt. I guess it is not an easy job. In any case, the U.S. is not getting the leadership it deserves in addressing the threat of cyber attack. What is not speculation, though, is the potential harm from our reliance on computers.

HELPFUL MEASURES
I do not think that the threat of cyber crime will increase unchecked forever. There are solutions to the existing and potential problems that involve forethought and cooperation amongst the different government agencies and private security companies. In fact, aside from technical aspects, most of the crimes and threats exploit the absence of security measures and cooperation .

No man-made technical solution can avoid being defeated by people. There are many possible measures that can contribute in a positive way. I hesitate to use the word ‘solution’, but feel the combination of all the following measures would lead to safer surfing. These four measures seem like common sense to me.

Measure 1: INCREASED AWARENESS
The first solution seems the most effective, but may also be the most unrealistic. I immediately think about the difference between the terms ‘safe sex’ and ‘safer sex’. Replace ‘sex’ with ‘Internet use’ and one immediately gets a realistic picture of the limitations of online security. Specifically, one can never be 100% safe from online theft. All one can do is mitigate the risks. Since people sometimes do not take care of their health, with potentially fatal consequences, it is likely too much to ask them to responsibly manage their online activities. People want plug-and-play PCs and care-free surfing.

So, it is helpful to explain the risks involved. Any talk of security protocols, firewall software or Internet security benchmarks is premature before one realizes the potential risks. People must first understand that they can lose lots of money as well as their good name through cyber crime.

Above all, everyone has to realize that the Internet is a public space. The privacy and security of one’s home does not necessarily extend to the Internet. Clearly, it is not in the interest of the PC makers and sellers to emphasize this. Some public bodies should raise awareness in order to fill this common sense gap. The following three resources are all free!

Resource #1: http://www.cisecurity.com/ is an international, member-sponsored organization. You can read its charter HERE.

Resource #2: I think that the National Cyber Security Alliance raises awareness, but just for those who hear about it. It takes a lot of money and marketing skill to get their message out.

Resource #3: http://www.sans.org/top20/ has information about computer vulnerabilities that criminals can exploit to reach your sensitive information.

Measure 2: REGULATE/LEGISLATE WEB ACCESS POINTS
One cannot rent a car without a driver’s license. One cannot buy a cellular phone without identification. Getting online is not regulated at most Internet cafés. Without such a system of online user-identity, today’s cyber-criminals can go from café to café, or network ‘hotspots’, committing fraud and theft. An IP number trace would provide no useful information.

On the other hand, this measure must be balanced with the idea of increased access to the Internet. An effective measure should not be a barrier to access. Telephone and mail fraud were around for many years before specific laws came into effect to combat them. Al Capone was brought down by stiff laws against mail fraud (and Robert Stack). A Net-savvy criminal needs to face similar laws and penalties.

Resource #4: http://www.mit.gov.in/it-bill.asp. In India, for example, the IT Act of 2000 specifies that identification must be provided at public Web access points. You can download the PDF file of that law HERE.

Resource #5: Read an interesting article about exploiting network ‘hotspots’ HERE. Again, the author is Jon Swartz.

Measure 3: BETTER SECURITY TECHNOLOGY
Almost anything made by people can be circumvented by people. I still think that if ‘next-generation’ technology lives up to its name, the public will benefit. One of the smartest things for public and private Internet security organizations is to hire cyber-criminals. If the penalties are stiff, cyber-criminals would be adequately motivated to cooperate.

Any improvements in security technologies will be defeated in time. This measure deserves attention because it provides another hurdle for criminals to overcome. There are no guarantees, but more is better.

Resource #6: HERE is one company that sells computer security information and security services. There are several private firms that do the same business and the field is growing.

Resources #7 & 8: “Cyber Crime” by Laura E. Quarantiello is one of many, similar hard-copy resources. It was
interesting to learn the new vocabulary words written on her site, but the best resource
I found was http://www.antionline.com/.

Resource #9: I have read, and can recommend, online articles by Symantec. I am one of their customers.

Measure 4: BUNDLED FIREWALLS WITH ALL NEW PCs
This is probably the simplest, most cost-effective measure. Any country can stipulate that firewall software be bundled with new computer sales. This does not mean that used computer sales would have it, but new PC sellers would not want to risk any big fines. With an economy of great scale, the price of firewalls would come down. Consumer awareness of firewalls and their use would go up.

Resource #10: http://www.interhack.net/pubs/fwfaq/ has an in-depth explanation of firewall technology.

Resource #11: I found a simpler, common-sense site at http://www.firewallguide.com/.

// posted by Hui Liu @ 1/23/2005 01:54:00 AM