Criminals
hot on cyberspace money trail
By M.J. Zuckerman, USA TODAY ©
03/22/00- Updated 09:50 AM ET
WASHINGTON -- A survey of systems
professionals out Wednesday shows 70% report being
victimized by serious computer crimes, especially on the
Internet.
When equipment theft, viruses and
other pilfering are factored in, the figure rises to
90%, according to the fifth annual survey by the FBI and
the Computer Security Institute (CSI) of San Francisco.
Those claiming financial losses
reported totals exceeded $265 million, more than double
that of 1999.
"There is exponentially more
money and value being placed on the Net," says
Martha Stansell-Gamm, head of the Justice Department's
computer crime section, "and that is attracting a
kind of crook in the model of Willie Sutton."
Sutton was notorious for nearly 100
bank robberies in 30 years. Upon his arrest in 1952, he
is said to have explained why he robbed banks:
"Because that's where the money is."
"If Sutton were around today, he
most certainly would say, 'I rob e-tailers because that
is where the money is,' " says Kawika Daguio of the
Financial Information Protection Association.
The numbers in a new survey of systems
professionals bear him out. The fifth annual Computer
Crime and Security Survey shows that the Internet is
termed a "frequent point of attack" by 59% of
those responding; in 1996, only 37% cited the Net. In
the past year alone, those reporting crimes involving
breaches of Internet security rose from 62% to more than
70%.
Law enforcement and private sector
officials long have insisted that Internet prosperity
combined with maturing, skilled cybercriminals would
fuel an online crime spree against businesses.
"There aren't a lot of good data
to really measure the scope of criminal activity on the
Net," Stansell-Gamm says. "But I can tell you,
anecdotally, we're seeing lots and lots of extortion --
not merely hacking, but crimes for profit or
malice."
Her view is reflected in the trends of
rising online crime shown in five years of member
surveys conducted by the CSI, which provides security
training for corporations and governments.
"Nationally, crime is going down,
but in cyberspace crime is rising, and it's going to
continue rising because there's always more crime on the
frontier than there is in long-established
communities," says Richard Power, who directs the
annual CSI survey in cooperation with the FBI.
Not wanting to jeopardize public faith
associated with the Internet's growth, business has
treated online crime losses as a cost of doing business.
Like shoplifting suffered by traditional retailers, Net
companies label the losses as "inventory
shrinkage" and rarely report them.
According to the new survey, that
practice has changed little in recent years. Among
companies suffering Internet losses, those reporting to
authorities dropped from 32% to 25% over the past year.
Why? More than half cited negative publicity, while 39%
worried about competitors.
Some businesses and "many bankers
fear that all the attention" being paid to online
crime could become an excuse for government to more
closely regulate and patrol the Internet, Daguio says.
Meanwhile, the Justice Department has
budgeted $1 million for next year to develop methods for
collecting closely guarded data on computer
vulnerabilities and security breaches.
Alan Brill of Kroll-O'Gara, an
international security and investigations firm, calls
online extortion "a very real problem" that's
made more complex by criminals' recognition that
businesses will go to great lengths to avoid publicly
acknowledging a weakness. "In some cases, merely an
extortionate threat gains value without ever having to
commit the underlying act," he says.
He notes that online extortion
typically involves a former employee departing with some
secret, perhaps the code for essential corporate data,
and returning weeks later as a "consultant"
demanding a king's ransom for the code.
"Now we're seeing more and more
cases of outsiders getting into systems, lifting
important data and demanding a ransom for its
return," Brill says. "Next I expect they will
attack (child) porn sites, grab customer lists and
threaten to expose the customers' surfing habits."
That's what made two attacks in
January unique. When online music store CD Universe and
Visa International in London refused to pay off, the
extortionists went public, boasting to the media that
they had stolen hundreds of thousands of credit card
accounts using the Net.
"Clearly, the kind of losses
suffered by CD Universe is nothing new," says Drew
Williams of BindView Corp., a security marketing firm in
Houston. "Is this a new trend in computer attacks?
No. Are we going to see more of these kinds of attacks?
Yes. It's simply the result of more businesses coming
online and having those assets exposed.
"Organizations have to do basic
homework before they do business online," Williams
says.
But even with the best protection
money can buy, thieves will always follow the money,
Power says: "As long as we have had storefront
businesses, you've had people in the neighborhood trying
to sell you protection. Why should it be any different
in cyberspace?"
TOP
