Security Watch

Is 'Cybercrime' Really Killing the Internet?

Media coverage belies the actual damage being done.

Just before the U.S. Memorial Day holiday, we have the news that 26 million U.S. veterans' personal information has been stolen from the home of a Veterans Affairs worker. The VA is going to notify each of the vets to warn them to be on the lookout for abuse of their information.

As a result of stories like these, we get other reporters suggesting that theft of information via cybercrime -- which today seems to mean any form of crime that involves a computer, including the theft of a laptop from a home or cafe -- is "mushrooming."

Who here thinks we only started to store personally identifiable information on computers in the last year or two? Who thinks laptops and desktops, and servers for that matter, have only recently started being stolen?

If we add up the numbers from all of the reported identity theft stories, every U.S. citizen is likely to have already had their identities stolen, likely more than once. Yet we don't see the expected deluge of stories about people, in the millions, who find out they have a second home they've never seen but have to pay for, or millions going bankrupt in order to avoid the abuse of their credit.

I'm certainly not suggesting that such crime doesn't happen, or that there aren't any victims out there who have had such problems. I'm only saying the problem is far greater in the media than it is in the average consumer's lives. And the mandated disclosure of such data losses are going to fuel stories for years.

Consumers certainly are questioning whether their information is safe, at least those few who are actually paying any attention to such stories. Reality tells us, however, that consumers are very willing to give over their personal information, be it for an Easter egg, a CD or simply because they were asked nicely. Read the bottom of any credit card or life insurance application and you'll see just what you're giving away. So while theft of identification information needs to be dealt with, I doubt you'll find a massive consumer outcry.

Meanwhile, one expert recently speculated that e-business, including the use of online banking sites, will come to a complete halt by the end of this year as a result of cybercrime and the threat of identity abuse.

Phishing, he alleges, is going to cause the vast majority of consumers to simply stop using the Internet, deeming it just too unsafe...presumably akin to the consumer walking late at night in the worst part of town.

Like the media representation of identity theft, phishing has become another media darling. There's no doubt that the volume of phishing e-mails has soared. Equally, there's no reason to believe it will be reduced any time soon. Few of the available anti-spam solutions can identify a phishing attempt from other legitimate advertising. Worse, many legitimate companies fail to understand how their brands can be abused by phishers as a result of that legitimate company's own actions.

I always love to tell the story of my own bank, the Canadian Imperial Bank of Commerce, who sent me a wonderful HTML e-mail that, amongst other things, included a graphic of the signature of the bank officer whose name was in the e-mail. Hmm, let's see, I have the bank's official logo, and the signature of someone who many of the bank's customers will have heard of. All I have to do is replace what's in between and I've got a very effective phishing scam...largely supplied by the bank itself. On top of these faux pas, the bank used a third-party marketing company to mail their e-mails out to everyone, so the headers were forged on purpose to minimize that fact. CIBC customers were, therefore, primed for a phishing e-mail scam by the bank itself.

But even if some phishing attempts are effective, and a recent paper on penny stock scams suggest they are somewhat effective, there's a really simple way to restore trust and eliminate phishing -- just disable HTML e-mail. All of a sudden the links aren't pointing to the legitimate Web site, the phisher's bogus site name is there...and guess what? It's not even similar to the legitimate site's name. The text that remains after converting HTML to plain text is usually total garbage -- even the simplest novice would be hard pressed to follow a link in such an e-mail.

So, in my view, the bottom line is that while personal information is being lost and stolen, the number of victims falls far short of the volume lost or stolen. This is equally true of phishing scams, despite the suggestions of impending collapse.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular