Cyber crime and disorder online: tip of the iceberg?

Everything changed on 6 August 1991 when the first webpage was launched. Nearly 25 years on, we look at the state of cyber crime, the battle between cyber attackers and defenders, and the implications for the payments industry.

Back in March 1989, a CERN employee wrote a proposal about the “management of general information

based on a distributed hypertext system.” “Vague but exciting” wrote his boss on the top corner of the document, allowing him to continue. The CERN employee was Tim Berners-Lee. And his proposal became the World Wide Web.

Now more than 2.8 billion people worldwide use the internet on around 10 billion internet-facing devices. The internet has revolutionised the way we shop, bank, date and deal with customers, suppliers and governments. The global e-commerce market was worth $840 billion last year, up 20 percent on 2013, according to A.T. Kearney. Most banks have extended convenience, value and choice to customers by developing an online and/or mobile banking interface.

It is not just individuals, businesses and governments that are connected via the internet — it is our things, too. Around 7 billion things were connected in 2014 via the Internet of Things (IoT), and this is expected to rise to around 26 billion in 2020, according to Gartner. The scope of IoT expands far beyond home appliances, and the oft-cited self-stocking refrigerator, to cars, people, industry and business, which in turn impacts our cities, infrastructure, transportation, health and so on. Gartner puts the value of IoT at $2.3 trillion in 2014, rising to $14.6 trillion in 2020.

The internet is becoming part of our lives. Our lives are becoming part of the internet, with all the data storage, privacy and security concerns that brings.

Crime and disorder online

Criminals have been deceiving consumers, businesses and governments for their own gain since there has been payment. Arguably, the criminals have driven the industry to innovate, and vice versa. The introduction of EMV chip technology, 3D secure, strong authentication, tokenisation and so on is helping the industry to contain certain losses and stay one step ahead of the criminals.

However the internet has been a game-changer in how criminals operate. Some of its characteristics magnify the risks posed by criminals and the difficulty of defending against their actions. The internet is an anonymous platform, which is available to a global audience 24 hours a day. There is no centralised legal authority online, so enforcing contracts, locating suspects and prosecuting crimes is challenging, particularly if the offence crosses national borders.

The Darknet

Cybercrime has become a large, present and evolving threat such that it is now one of Interpol’s top 16 priorities alongside terrorism, human trafficking, crimes against children, drugs, firearms and so on. Cybercrime is becoming more organised and more commercial. It is perpetrated by international crime rings with operatives who are highly skilled, resourced and motivated to monetise their crimes on an industrial scale. Much, though by no means all, illegitimate cyber activity is conducted on the Darknet.

The Darknet, Dark Web or Deep Web is a part of the internet that most users do not see. Its pages do not show up on Google and it is designed to be used anonymously, particularly through multi-layered encryption technology, such as TOR (The Onion Router). This hides the source of original messages through a network of thousands of randomly-selected relays to help protect internet activity and identity. Unsurprisingly, the Darknet is popular with those who do not wish to be visible or traceable, such as dissidents, whistle-blowers, intelligence agencies, but also criminals.

Underground forums on the Darknet function as online bazaars for illicit goods and services. These include weapons, drugs, hardcore pornography, child abuse material, fake IDs, personally identifiable information (PII) and stolen card data. However, there is also another line of business that is booming.

“The most significant trend we’ve seen is the rise in cybercrime-as-a-service, where criminals buy, rent or outsource their activities,” says James Chappell, chief technology officer and co-founder of the cyber situational awareness company, Digital Shadows. “For bespoke cases, individuals can hire a hacker. It is similarly easy to rent the latest tools, such as exploit kits to infect victims with malware, steal credentials or hold a user’s files to ransom.”

These hackers for hire, off-the-shelf kits and home-study tutorials are lowering the barriers to entry for cybercriminals without specialised knowledge or technical skills (see boxed text p16). Attacks can come from activists, terrorists, competitors, disgruntled employees or even nation states, and look as if they are coming from somewhere else. So, what does this mean for businesses, particularly those in the payments industry?

Winners and losers

Cybercrime is the new normal. This is the context in which the payments industry is operating. The attack surface is broad, the attackers are many and various, and the prize is wider than card payment data and online banking credentials. Personally identifiable information (PII), corporate intellectual property, such as blueprints, strategy and marketing plans, also have significant commercial value on the underground markets. Any company that handles data is a potential target.

In this context, business is booming for the cyber defenders. Research firm MarketsandMarkets expects the global cyber security market to grow from $106 billion in 2015 to $170 billion by 2020, a CAGR of nearly 10 percent. Yet, is it as simple as buying more security solutions? Who is winning, the cyber attackers or defenders?

For Chappell, the cyber attackers have the upper hand because the operating environment for cyber criminals is becoming more and more favourable. “Online marketplaces, ambiguous international laws, encrypted chat rooms, virtual currencies and anonymising technology have created a haven for criminals to congregate, exchange ideas, trade malware and coordinate attacks. While these have been around for some years, they are becoming more widespread.”

Benjamin Hosack, director at digital forensics specialist Foregenix, is seeing the impact of this within the payment industry. “We’ve seen a significant increase in the number of organisations getting hacked. We are expecting a sixfold increase in our caseload this year, compared with 2013. Of the breaches we’ve investigated this year, nearly 60 percent are e-commerce breaches.”

Hosack also cites a skills mis-match. “Highly skilled attackers are targeting organisations which are trying to protect themselves with somebody who probably has multiple responsibilities. They might be the only IT person in the organisation, and also look after security. They cannot stand up to a criminal who is skilled and focused.” There is also a lack of understanding of the cyber threat within the business, particularly at board level. “As a result the board will probably feel comfortable in a situation when they shouldn’t be,” says Hosack.

The tide may be turning

Over the last 12-18 months, the way data security is perceived at many companies may be changing. Retailer data security breaches and high-profile hacks, such as SONY Pictures and Ashley Madison, have acted as wake-up calls.

“The impact of cybercrime is much bigger than a card scheme fine for loss of data. There is lost revenue, productivity and ability to trade; costs relating to legal, technical and forensic advice, plus any regulatory fines; the impact on brand, reputation and trust, all of which adversely affects the corporate bottom line,” says Vaughan Collie, partner, Accourt.

The Ponemon Institute’s 2015 Cost of a Data Breach Study puts the average consolidated total cost of a data breach at $3.8 million, a 23 percent increase on 2013. Meanwhile 69 percent of consumers would be less inclined to do business with a breached organisation, according to Verizon. It is time to capitalise on awareness of the issues and translate this into action.

Hosack advocates conducting an independent assessment of the risks to a business and its data assets, and then mitigating the risks appropriately. Chappell feels that collaborating as well as, if not better than, the criminals is key. “Sharing with peers, law enforcement and computer emergency response teams have helped organisations to pool resources and collate what they know about attackers,” he says.

Given the state of the cyber nation, maybe it is worth changing the emphasis from risk prevention to one of risk detection and recovery. Cybercrime is the archetypal external risk that affects all industry players. It may impact individual organisations differently depending on their approach and readiness.

Who’s who in the cybercrime underground

The cybercrime underground is a close-knit, self-supporting ecosystem made up of buyers and sellers, plus those who facilitate trade. Some of the players include:

Botnet operator — controls an illegal robot network of compromised computers, which are monetised to send spam e-mail, distribute malware or conduct activities where considerable computing power is an advantage (e.g. DDoS attacks, click fraud, CAPTCHA-solving or Bitcoin mining).

Broker, bundler, reseller — the cybercrime underground, as any system, contains those acting as intermediaries between buyers and sellers (brokers), those who put together two or more products/services into a single package with one price (bundlers), and those who buy in bulk and may add some value before selling the product/service on in smaller lots (resellers).

Coder — provides computer code which is usually malicious and for criminal intent (e.g. malware, bonet or spam template code). May also package code they have written for sale to others as off-the-shelf kits or in the form of educational tutorials, which lowers the barriers to entry for committing cybercrime.

Phisher — acquires personal credentials (e.g. passwords logins, financial data, e-mail contacts) by deception.

Ripper — a criminal who rips off other criminals, either by offering low quality wares, which are not as originally claimed, or failing to deliver in exchange for the fees they charge.

Shell company supplier — provides fake companies for use in criminal activities. These may come complete with company address, business registration numbers and principals with validating information (e.g. home addresses, social security numbers). There is also a market for fake e-mail and social media accounts within the criminal underground as a delivery mechanism for various social engineering scams.

Spammer — sends unsolicited bulk e-mails, typically used to market or advertise products/services direct to consumers on behalf of the sender (or sender’s sponsor in the case of affiliate marketing models).

Underground forum administrator — runs an online platform where buyers and sellers can meet to share information and trade, vets the members, reviews products/services sold, manages escrow, minimises the presence and impact of rippers, and arbitrates disputes.

The post Cyber crime and disorder online: tip of the iceberg? appeared first on Payments Cards & Mobile.