Is 'Cybercrime' Really Killing the Internet?
Media coverage belies the actual damage being done.
Just before the U.S. Memorial Day holiday, we have the news that 26 million
U.S. veterans' personal information has been stolen from the home of a
Veterans Affairs worker. The VA is going to notify each of the vets to warn
them to be on the lookout for abuse of their information.
As a result of stories like these, we get other reporters suggesting that theft
of information via cybercrime -- which today seems to mean any form of crime
that involves a computer, including the theft of a laptop from a home or cafe
-- is "mushrooming."
Who here thinks we only started to store personally identifiable information
on computers in the last year or two? Who thinks laptops and desktops, and servers
for that matter, have only recently started being stolen?
If we add up the numbers from all of the reported identity theft stories, every
U.S. citizen is likely to have already had their identities stolen, likely more
than once. Yet we don't see the expected deluge of stories about people,
in the millions, who find out they have a second home they've never seen
but have to pay for, or millions going bankrupt in order to avoid the abuse
of their credit.
I'm certainly not suggesting that such crime doesn't happen, or
that there aren't any victims out there who have had such problems. I'm
only saying the problem is far greater in the media than it is in the average
consumer's lives. And the mandated disclosure of such data losses are
going to fuel stories for years.
Consumers certainly are questioning whether their information is safe, at least
those few who are actually paying any attention to such stories. Reality tells
us, however, that consumers are very willing to give over their personal information,
be it for an Easter egg, a CD or simply because they were asked nicely. Read
the bottom of any credit card or life insurance application and you'll
see just what you're giving away. So while theft of identification information
needs to be dealt with, I doubt you'll find a massive consumer outcry.
Meanwhile, one expert recently speculated that e-business, including the use
of online banking sites, will come to a complete halt by the end of this year
as a result of cybercrime and the threat of identity abuse.
Phishing, he alleges, is going to cause the vast majority of consumers to simply
stop using the Internet, deeming it just too unsafe...presumably akin to
the consumer walking late at night in the worst part of town.
Like the media representation of identity theft, phishing has become another
media darling. There's no doubt that the volume of phishing e-mails has
soared. Equally, there's no reason to believe it will be reduced any time
soon. Few of the available anti-spam solutions can identify a phishing attempt
from other legitimate advertising. Worse, many legitimate companies fail to
understand how their brands can be abused by phishers as a result of that legitimate
company's own actions.
I always love to tell the story of my own bank, the Canadian Imperial Bank
of Commerce, who sent me a wonderful HTML e-mail that, amongst other things,
included a graphic of the signature of the bank officer whose name was in the
e-mail. Hmm, let's see, I have the bank's official logo, and the
signature of someone who many of the bank's customers will have heard
of. All I have to do is replace what's in between and I've got a
very effective phishing scam...largely supplied by the bank itself. On top
of these faux pas, the bank used a third-party marketing company to mail their
e-mails out to everyone, so the headers were forged on purpose to minimize that
fact. CIBC customers were, therefore, primed for a phishing e-mail scam by the
But even if some phishing attempts are effective, and a recent paper on penny
stock scams suggest they are somewhat effective, there's a really simple
way to restore trust and eliminate phishing -- just disable HTML e-mail. All
of a sudden the links aren't pointing to the legitimate Web site, the
phisher's bogus site name is there...and guess what? It's not
even similar to the legitimate site's name. The text that remains after
converting HTML to plain text is usually total garbage -- even the simplest
novice would be hard pressed to follow a link in such an e-mail.
So, in my view, the bottom line is that while personal information is being
lost and stolen, the number of victims falls far short of the volume lost or
stolen. This is equally true of phishing scams, despite the suggestions of impending
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.