Cybercrime is a global epidemic costing billions of dollars, and nobody’s really talking about it
Losing the battle and the war
By Gail Balfour
November 23, 2010
November 23, 2010
According to Menn’s research: at least 50 per cent of U.S. credit card numbers are currently in the hands of criminals, tens of millions of PCs worldwide have botnets and other malware running on them, and more than 90 per cent of all computers have known critical vulnerabilities that have not been patched.
“It used to be that unless your computer started spewing pop-ups and moving incredibly slowly you were probably okay. You can’t assume that anymore,” Menn said.
“You should assume, in fact, that your stuff is already out there being swapped around in Eastern Europe. And you should check your credit card bills and banking statements to make sure you don’t see anything unusual.”
Many of us have experienced the annoyance of computer viruses or adware that slows our computers down from time to time. But the problem is far more damaging than people realize, and no one is really talking about it. According to Menn, by 2009, 30 per cent of Americans had become victims of some type of identity theft and companies and individuals were losing an estimated US$1 trillion a year to Internet criminals.
The new Cold War
Most of the big-time cybercriminals reside in Russia (where Menn spent months researching his book) or other parts of eastern Europe, and are members of organized crime rings. Unfortunately, this makes them largely untouchable. “It’s hard to tell where the line is between organized crime and government. We are not talking about disaffected teenagers anymore, we are talking about mobsters.”
And no one has an incentive to tell people what’s really going on, he said. “Computer companies want you to buy computers. Online retailers and banks want you to do more online—they don’t want you to be freaked out about it. And security companies want you to be scared enough to buy their products but not so scared that you realize their products won’t actually protect you.
“The reality is we are catching way less than one per cent of the worst bad guys. Nobody’s going to tell you that and that’s one of the reasons this is going to continue to be a problem.”
Learned helplessness
Lynn Hargrove, director of consumer solutions with Symantec Canada in Toronto, agreed that lack of awareness and of reporting are two major issues contributing to cybercrime, adding that most people suffer from a “learned helplessness” and assume risk is a fact of online life. Typically, less than 50 per cent of people will report an incident to any authority figure.
“People don’t report because they just don’t know where to go, but also because they feel shame.” In fact, almost 80 per cent of consumers believed they were the ones to blame because they did something wrong or were not careful enough, according to a recent global survey, she said. Ninety-seven per cent of consumers believed they would fall victim to cybercrime, and about 80 per cent believed the criminals would never be brought to justice.
But the most important action people can take is to report incidents, she said. Depending on the circumstances, consumers can report to the police, their bank or to online resources such as Cybertip.ca.
People also tend to be complacent about cybercrime because it just doesn’t seem like “real” crime and there is little perceived risk of personal loss, said Dr. Avner Levin, an associate professor and director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto. “Cybercrime doesn’t have a direct impact on our lives the way real crime does. Someone steals my credit card, it’s not my personal problem, it’s the bank’s responsibility. The bank is prepared to cover the cost because they want us to keep spending our money.”
He agreed with Menn that most consumers don’t know what is going on and that banks and credit card companies would like to keep it that way. “Banks are very opaque: they hide behind the security argument. They will not confide in us what really happens.”
Levin’s own Visa was compromised in a store, but when he asked the credit card company which store was the culprit, he was stonewalled. “They told me it was not my concern. They don’t want you to know. They want you to feel safe and create an environment in which you feel there is no risk of personal loss.”
Smarter also means riskier
When we think of cybercrime we tend to think of online transactions, Levin said, but as our cars and homes incorporate more technology—think of GPS systems and smart hydro meters—more information is collected about us and our lives, and that can be exploited.
For example, smart hydro meters in homes collect consumption information and can pinpoint times when people are not typically at home. GPS systems carry home addresses. Mobile phones have location-based information.
All this data, if hacked, allows criminals to paint a picture of where we go and where we live, and makes robbing a home or stalking an individual that much easier. And there are no clear guidelines in place for consumers to protect themselves, or even know who is responsible for protecting them.
David Senf, research director, infrastructure solutions at IDC Canada in Toronto, is also concerned about smarter devices. “The more mobile devices get and the smarter they get the more people use them for transactions. There is more opportunity just from the sheer number of devices being used,” he said.
Things like harassment, bullying and other forms of online exploitation are also forms of cybercrime, Levin said. And with young people growing up in the social networking era, there is more personal information online to exploit. “The younger generation has a different view of privacy. They very much want to share and they go online to socialize. They are not online to be private. This is the way young people form their personality. It’s like they are trying on costumes,” Levin said.
To address this, people need to learn the difference between privacy and identity management. “It’s not what you share, but who you share it with.”
But even when people do all the right things to protect themselves—keeping virus scanners up to date, using firewalls and secure passwords, etc.—there are still “several points of failure,” from keyboard information and possible keylogger infections, to databases that store information, to ISPs and even drive-by browser malware attacks, Senf said.
Cybercriminals also prey on human nature, and are constantly improving social engineering techniques to get people to believe something is legit. “People are always going to get suckered,” Senf said.
The shame factor
Many victims end up feeling embarrassed and angry. “About a year ago, I was on Facebook and clicked on a link embedded in a message sent by one of my Facebook friends. I later learned it was a fake e-mail alert created by a criminal,” said Kristi Thorburn, a Canadian pilot living in Charlotte, N.C.
The link was to a fake antivirus company, which asked for credit card information. Thorburn complied, thinking it was a legitimate update that her system required. “I was shocked and couldn’t help but feel silly to have provided my credit card number. I know this is a very common scam, but I never thought I would have fallen for it,” she said.
For Thorburn, the incident simply served as a wake-up call for more stringent Web practices. But for Murray, a Hamilton, Ont.-based mechanic who prefers his last name not be published, cybercrime totally changed his online behaviour and trust.
He used to be very open in Web activities, and even met his wife online. Today it’s a different story.
It started with phone calls asking if he was okay. His e-mail had been hacked (he believes through Facebook) and a bogus note was sent to everyone in his address book saying he was in trouble and needed money. He also found he could no longer log in to his e-mail and had lost about 12 years of correspondence and address information.
“I was like, you gotta be kidding me. I thought I had a very safe password.” He filed complaints to Facebook, his e-mail provider, an online cybercrime resource and even to the police, “but I never heard back from anyone.”
Since the incident, Murray makes a point of being online as little as possible. He has deleted his Facebook account, opened a new e-mail account with a fake name, and rarely even uses credit cards anymore.
He sometimes misses being on Facebook and the connections he had made with old school friends, but said he would never go back.
“It’s just not worth it,” he said.
Top 10 riskiest online Canadian cities
1. Burlington, Ont.
2. Port Coquitlam, B.C.
3. Langley, B.C.
4. Vancouver
5. Calgary
6. Oakville, Ont.
7. Markham, Ont.
8. Toronto
9. Kelowna, B.C.
10. Kitchener, Ont.
The rankings were determined through a combination of data on cyber attacks and potential malware infections, and third-party data about online behaviour. Both Vancouver and Toronto rank highly in the consumer expenditure and Wi-Fi hotspot categories. Oakville’s residents spend more on Internet access and computer equipment than residents of any other city in Canada. Of the 50 Canadian cities examined, most of Quebec’s municipalities ranked among the least risky.
Source: Symantec Canada, March 2010
Cybercrime: the silent epidemic
> 65% of adults worldwide have been victims of cybercrime
> only 3% expect not to fall victim to cybercrime
> 79% do not expect cybercriminals to be brought to justice
> 32% restrict the Web sites they visit
> nearly half of those surveyed think it’s okay to steal music and movies online
> 11% think it’s okay to impersonate someone online
> 12% think it’s okay to use someone else’s research
> 12% say it’s okay to browse someone else’s files and e-mails
> 5% even think it’s okay to hack into someone’s computer and sell their personal information online
> in Canada, resolving one instance of cybercrime takes an average of 17 days and costs an average of US$561
Source: Norton Cybercrime Report: The Human Impact, September, 2010
Who is responsible for online security?
> 42% of users feel it’s up to them
> 18% say it is Web site owners’ responsibility
> 15% say it’s software vendors
> 9% say there should be global legislation
> 7% think it’s up to the Canadian government
> 6% say law enforcement is responsible
> 3% other
Source: IDC Canada, 2009
Illustration: www.gavinorpen.com
