Threat Management, Incident Response, TDR

Collaborating against e-crime

One of the lasting contributions of the internet has been the establishment of e-commerce. Due to its convenience, limitless choice, ability to comparison shop and 24/7 availability, e-commerce is one of the fastest growing business segments ever.

Yet, e-commerce isn't only attracting online consumers. It's increasingly attracting cybercriminals who are constantly deploying new, creative methods to attack and steal money from internet users. Today, e-crime is becoming such a widespread occurrence that it won't be stopped without decisive, global action.

I've seen first-hand how security technology failures go through a predictable sequence: initial discovery by security professionals, followed by wide scale abuse by teenage vandals and, finally, appropriation by criminal enterprises. Now that the teenage vandals have largely dropped away, we are left with professionally executed attacks motivated solely by money. This evolution has only been a feature of the information security landscape since perhaps 2004 – in less than five years, e-crime has changed from an anomaly into an industry.

If e-crime continues its rise, consumer confidence will be eroded, possibly leading to popular abandonment of the internet and e-commerce. The problem we still face, though, is that governments, industry and law enforcement are divided and too often uncoordinated, which is a stark contrast to the criminal gangs who are extremely well-connected and coordinated.

Given this lack of coordination, the question remains: “Who's responsible for making the internet safe?” I'd argue that there should be a shared responsibility among government, private industry and consumers.

A good starting point would be developing a globally harmonized framework of legislation against e-crime.

Governments need to agree on the definitions of e-crime so that attackers can be aggressively pursued in the criminal justice system. In order to achieve this, it's quite possible that a new global governance organization is needed, as opposed to fractured regional ones.

Secondly, governments need to substantially increase their investment in e-crime law enforcement. The internet is a global entity. Either we need to find a way to enable global law enforcement teams to cooperate effectively, or we should give up on attempting to police the internet locally, and establish the “InterNetPol.”

Action is needed and we must act soon. If we collectively take no action, then we have perhaps five to ten years before criminal greed takes the internet away from us.

Financial fraud rises
The average annual loss reported by respondents doubled to $350,424 from $168,000 from the year before – with financial fraud causing the greatest damage, according to a 2007 survey from Computer Security Institute.

Gone phishing
A recent report from Gartner suggested that the international “take” from just one form of e-crime, phishing, was $3.2 billion in 2007 (and this number may be an underestimate, according to the report).

Look ahead
Companies need to invest substantially in the security of their applications and infrastructure, says PayPal CISO Michael Barrett. State of the art fraud management systems are essential today, he says.

Use the law
PayPal works with law enforcement to catch, prosecute and convict criminals. If others adopt the same strategies, Barrett is confident that phishing will become substantially more difficult and less financially rewarding.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.