to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Hard Numbers on Internet Crime

compliance and privacy

Current News Updates

Hard Numbers on Internet Crime

A recent headline claims that cybercrime is more profitable than the drugs trade.

How can this be true? Trafficking in drugs is a mature criminal enterprise, large scale professional Internet crime only emerged in the past five years. The number of daily security alerts issued by VeriSign iDefense increased from 21 per day to 59, a 180% rise. If the claim that Internet crime already earns $105 billion a year is true and the growth rate is even a fraction of that, we are in very, very serious trouble.

Knowing the true state of Internet crime is important; and not just if customers are paying you to accurately analyze the situation. The Chief Security Officers of banks and other financial institutions that are targeted by Internet crime make sure that they understand their own losses. Statistics that greatly exaggerate the size of the problem only confuse the situation. CSOs are busy enough trying to stop Internet crime without the CEO asking if the loss figures they are reporting are correct.

Strong claims demand high levels of proof. The source of the “more profitable than drugs” claim turns out to be an anonymous headline writer for Reuters. The article itself is based on an interview with Valerie McNiven, an analyst with Cybrinth after she gave a presentation at an information security conference in Ryadh. The first line of the article states: “Global cybercrime generated a higher turnover than drug trafficking in 2004”. This is a very different claim, turnover and profits are very different things as anyone who has invested in an Internet startup knows.

Another problem with the statement is that the term cybercrime means different things to different people. A separate account of the same presentation in TechWeb explains that the definition of cybercrime used was much broader than the phishing, advance fee fraud and extortion rackets typically considered to be the principal forms of Internet crime. Instead the cybercrime definition “included corporate espionage, manipulation of stocks, child pornography, cyber-extortion and various forms of piracy.”

Recording industry executives are understandably concerned about online file trading networks but it makes little sense to describe the hypothetical loss due to piracy as ‘turnover'. The recording industry certainly suffers damage from piracy; professional copyright thieves certainly make very large sums of money from piracy. But the amount of money made by the pirates is very much less than the damage they cause.

The same is true of almost every type of crime, Internet crime is no exception. The spammer who sends out a hundred million emails is unlikely to see more than a thousand responses. If the product has a profit of $10 the net gain to the spammer is $10,000. The cost to network providers, anti-spam service providers and readers whose time is wasted is at least ten times greater.

Overstating the profitability of Internet crime makes the problem worse by encouraging more people to try it. Internet crime is certainly very profitable for some but the profits they make are certainly nowhere near $105 billion and only a small number make a significant profit before they are caught.

The article's suggestion that law enforcement cannot catch up because phishing sites are taken down ‘”within 48 hours” is equally unhelpful. The phishing gangs would much prefer the sites to remain up much longer. The sites are taken down because of the work done by VeriSign Anti-Phishing services and other security teams working with ISPs around the world to bring down phishing sites as fast as possible. The aim of these teams is to bring the sites down in minutes or hours, not days.

Law enforcement has been catching up with an increasing number of Internet criminals. The US Department of Justice recently announced guilty pleas by six of the 21 US defendants accused of running the ‘Shadowcrew.com' marketplace for credit card fraud. The Shadowcrew gang were caught by the US Secret Service working with law enforcement in six other countries. Earlier this year police in Brazil arrested 50 alleged members of a phishing ring.

The gangs are believed to be amongst the largest Internet crime organizations. The sums involved in these crimes are certainly very large, over $4 million in the Shadowcrew indictment and an estimated $37 million in the Brazilian case. But these figures suggest that the true extent of Internet crime is much closer to the $995 million estimate given by Gartner group than the $105 billion figure of McNiven.

Internet crime is certainly a serious problem that will get much worse in the short term. But work is already underway to mitigate the immediate impact of Internet crime and major changes to the Internet infrastructure are being planned that will make its fabric considerably more resistant to Internet crime.

It is not quite fair to say that the Web was not designed to be secure. A great deal of effort went into trying to secure the Web, some of which made it into the Web itself. As one of those who tried (and failed) to design security into the Web our correspondent believes that a fairer statement would be that in 1995 we did not understand what the security needs of the Web would be in 2005.

Those security needs are understood much better today. For example we understand that security is not just the ability of the bank to identify their customer, the customer has to be able to easily and reliably identify the bank. We understand that the Web now has over a billion users and we can no longer design systems for the technically literate.

We also understand that the security impact of the Web goes far beyond the Web itself. The phishing problem began when a group of hackers discovered a way to turn a stolen credit card number into a card and PIN number they could use to withdraw cash from an ATM machine. That particular attack has now been (largely) blocked but the phishing gangs continue to find ways to use the Web to magnify the effect of weaknesses in the financial services infrastructure.

At the root of the phishing problem is the fact that a credit card number or a password is not a very good way of protecting money. Internet crime makes the replacement of these outdated techniques an urgent priority. But it is a priority that there is still time to carefully analyze and plan for. We must upgrade the Internet infrastructure to make it crime resistant but we cannot change the internet every day. We have a limited number of shots, we can and must take the time to aim them well.

Find out more about the original article

Discuss These Articles

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.