Online crime is low risk, high reward.'

By Paul Marck, Canwest News ServiceMarch 11, 2009

 

Online credit card fraud is a growing worldwide epidemic, and experts warn if Canadians think they're less vulnerable because they only use secure transaction sites, they need to think again.

 

Gary McIntyre, lead security architect for IBM Canada, says e-commerce fraud that empties bank accounts, steals identities and hoists credit card information is easy and profitable for cybercriminals, wherever they are.

 

``Online crime is low risk, high reward,'' says McIntyre. ``Given that it occurs over multiple jurisdictions and across borders, it is difficult to prosecute.''

 

Last year, an estimated $4 billion was lost by U.S. merchants to Internet fraud, double the losses of only five years ago, according to an annual study by Cybersource Corp.

 

Many swindles come from spamming and phishing, where online criminals seek credit card and bank account information by posing as legitimate businesses, or masquerading as financial institutions.

 

By sending out thousands or even millions of phishing e-mails seeking people to part with their personal financial information, criminal hackers need only a tiny percentage of positive responses to rake in big bucks.

 

IBM's recently released X-Force Trend and Risk Report indicates several countries vied for the top spot as spam senders, with Russia, China and Brazil leading the way. China also held the distinction as the No. 1 host of malicious websites, surpassing the U.S., the X-Force report said.

 

Fear of hacking intrusions is scaring businesses into taking action. But it's not necessarily the right action. Another report, PricewaterhouseCoopers 2008 global study on international online security, says businesses are spending indiscriminately for online security technology.

 

``Our survey identified a worrying trend within many organizations who are throwing increasing resource dollars at technology solutions without fully understanding the threats they face,'' says Salim Hasham, vice-president of the advisory services practice for PwC.

 

Confused corporate priorities or a lack of vision aligning security spending and business needs compound the vulnerabilities, says Hasham.

 

A major example of online fraud in Canada last year was a malware application called XP Antivirus 2008. Thousands of gullible individuals and businesses were scammed. A pop-up banner ad claimed to execute a quick system scan, detecting that the user's computer was infested with viruses.

 

Users were directed to download an antivirus program for a fee. What people got was a piece of malware that searched the host computer for personal data - plus the user had already turned over credit card information to pay for the fake download.

 

``It was very professional and very slick,'' says IBM's McIntyre, who consults with clients across the country. ``I've had customers who fell for this hook, line and sinker.''

 

Financial institutions and their customers are by far the most popular targets for criminal hackers. Transaction sites are vulnerable and the X-Force report says that growing numbers of hackers implant undetected code in the back- office end of commercial databases, intercepting personal information and thus turning a legitimate business against its own customers.

 

Such intrusions, called ``spear phishing,'' play on a consumer's sense of trust. The aim is to gather enough data from a company that the hacker can send its customers personalized communications. These e-mails contain enough legitimate information to give customers a sense of authenticity and comfort, after which they will more likely follow links to bogus sites where they then divulge personal and financial information.

 

``Hackers are using ever more sophisticated attacks with a blend of technology and good old-fashioned social engineering in many cases to fool customers into giving up their personal data, such as access passwords to their bank accounts,'' says Hasham.

 

Financial loss is the main driver behind businesses trying to protect their e-commerce sites, but not the only one. PwC's survey, with more than 7,000 responses worldwide, said the main business impacts from illegal hacking include:

 

* Financial loss, 39 per cent

 

* Theft of intellectual property, 30 per cent

 

* Brand compromise or reputation loss, 27 per cent

 

* Fraud, 21 per cent

 

``This is indicative of a new breed of attack focused on stealing corporate resources or negatively impacting consumer confidence,'' says Hasham.

 

There is no single solution for businesses to protect themselves, says McIntyre. Filling that business need is the sweet spot for IBM and IT security consultants. They address the gap with a wide variety of services, products and third-party vendors to layer security protection across a corporate IT system.

 

``The important thing is to take advantage of all of these resources,'' says McIntyre.

 

But there are no guarantees.

 

Last year, a leading Canadian e-commerce site was compromised, with illicit disclosure of information happening ``frequently'' until the intrusion was detected and measures taken to fix processes, McIntyre says.

 

The company is well known, but never publicly disclosed that it had been hacked. Once criminal intrusion into a commercial website is detected, there is no onus on a Canadian business to report the crime, says McIntyre.

 

Between 30 and 40 U.S. states, led by tough legislation in California, make it mandatory for businesses to report incidences of data loss or compromise. No comparable law exists in Canadian jurisdiction.

 

But where governments in Canada are slow to act, the credit card companies have taken a carrot-and-stick approach. Known globally as the payment credit industry digital security standard (PCI DSS), Visa, MasterCard and American Express all put their business-service fees for e-commerce on a sliding scale, depending on the merchant's level of online security.

 

``Unlike a lot of legislation, it does not force compliance, but it does address the problem at a certain level,'' says McIntyre.