True story: a couple of years ago, an eBay seller auctioned off five specialised items in a week and demanded payment by direct bank transfer. Two weeks later, the five scattered UK buyers contacted each other: none had received the items they’d paid for. Armed with the scammer’s real bank details and mobile phone number, they reported the incidents, which totalled about £1500, to their local police authorities. The reports were forwarded to the police in the scammer’s area. And then, nothing happened.
Stories like these are why many consumers believe that no one in authority cares about common cybercrimes: phishing attacks, spam, viruses and other malware, identity fraud, and auction fraud. In the aforementioned case, the local police were sympathetic but had other priorities for their limited resources. And yet, as cybercrimes go, this eBay fraud was simple: everyone was in the same country, and no-one was anonymous.
“I have had the same thing”, says Lieutenant Charles L. Cohen, commander of the Special Investigations and Criminal Intelligence sections of the Indiana state police and an adjunct professor at Indiana University Bloomington.
“I had the photo, name, and address of a guy in Australia who was victimising people in Indiana. What prosecutor will send me there to extradite him and have him stand trial for $6000 (£3755) to $7000 (£4380)? But he’s doing it in multiple jurisdictions.”
A business decision
What criminal wouldn’t choose a life of cybercrime over more traditional, physical-world kinds of theft, especially when the risk of conviction is so much lower? “I interviewed a guy who used to rob banks and now does online fraud”, says Cohen. The former bank robber had cogent reasons: in robbing banks he could get shot, or caught and convicted to serve long sentences – and, he told Cohen, the money wasn’t that good, relatively speaking. By contrast, he was unlikely to get caught or investigated pursuing online crime, and if he did, the most he’d serve is a couple of years. “For this individual, it was a business decision.”
| "Evidence from computers or networks, if it hasn’t been central, has been significant" |
| Peter Sommer, London School of Economics |
It’s not that the police don’t care. “There is nothing more frustrating for a person who’s made a career as a detective to have to tell someone who’s been the victim of a crime that there’s nothing you can do”, explains Cohen. Especially, he says, because often someone who has been victimised once becomes a target for more schemes going forward.
“The real issue is speed”, says Nick Selby, managing director of the Trident Risk Management consultancy. “It is so hard to prove anything, even if everything occurs in the same jurisdiction – and it never does. I would say it’s nigh on impossible to enforce any laws that might exist – if the law even applies at the time of the transaction because the methods of doing this change so rapidly. In the underground, there is a lot of specialisation and a lot of really sophisticated organisation that insulates and isolates in the same manner that a terrorist cell’s command and control works.”
Selby’s ‘malware-industrial complex’ has been progressively documented over the last couple of years by Peter Gutmann, a researcher in the computer science department at the University of Auckland. Increasingly, Gutmann says, malware is a highly profitable, commercial, and well-organised sector that mirrors the legitimate software industry. Current trends that should all sound familiar include malware as a service, full technical support, adware affiliates, video tutorials, try-before-you-buy plans, outsourcing, and even money-back guarantees. Much of it is automated, including trading exchanges that match buyers and sellers of traffic.
| "One outgoing police officer said that politicians don’t seem to have the appropriate sense of fear about cybercrime" |
| James Brokenshire |
The scale is staggering: AT&T reports detecting a million new bots a month. Even more frightening is that yesterday’s look-at-me viruses are being replaced with stealthier models that steal the data they want as undetectably as they can.
And all at relatively little risk: “It is almost impossible to ‘do time’ for e-crime at this point”, says Selby. He doesn’t call the organisers ‘cybercriminals’, but like many law enforcement people, simply calls them ‘criminals’.
Digital evidence
Peter Sommer, a visiting professor in the Information Systems Integrity Group in the Department of Management at the London School of Economics, says that this is a significant and pervasive shift in law enforcement thinking. “Magazines like Infosecurity and people in the IT business think of e-crime”, he says, “but increasingly the thinking in law enforcement circles – and it’s been like this for some time – is that they don’t want to waste time on defining what e-crime is. They are focussing instead on the need of detectives of all kinds to be able to cope with digital evidence in all forms”.
Sommer himself has acted as an expert witness in a wide range of cases that include, besides hacking, murders, illegal immigration, harassment, narcotics, and even terrorism. In all of them, he says, “Evidence from computers or networks, if it hasn’t been central, has been significant.”
It was this pervasiveness of computers that originally got Cohen interested in online crime, back when few others in law enforcement understood what they were seeing. He now spends much of his time teaching others the workings of everything from Facebook and iPhones to Second Life and World of Warcraft.
“The only people who get caught are inept and unlucky”, says Cohen, who notes that like so many other people, criminals can be remarkably indiscreet on social networking sites.
Merely understanding the problem, however, is far from satisfying. What’s more important, agree Cohen and Sommer, is the solution. One thing most concur with is that these criminals are not frightened of the law.
Lack of heroic status
“There are all sorts of laws in existence already”, says Gutmann by email, “but it’s enforcing them that’s the problem. There are quite a number of related problems here – for example, it’s so easy for criminals to hide their identities that they have little to fear in terms of getting caught (and no new laws will help here since the crooks are using Aunt Ethel’s computer to commit their crimes), so the only one who’ll get caught by new police powers or whatever the politicians will sell us as their ‘solution’ to the problem is Aunt Ethel”.
In addition, Gutmann says, police contacts have told him that while those who catch terrorists, bank robbers, or muggers are heroes, police who solve cybercrimes tend to get little recognition.
“There is no one single answer”, says James Brokenshire, the Conservative Shadow Minister for Crime Reduction, when asked about cybercrime law enforcement. “The problem in recent years is that it hasn’t been an area of focus, and there hasn’t been appropriate attention given to this issue as a matter of policy. One outgoing police officer said that politicians don’t seem to have the appropriate sense of fear about cybercrime.” A significant problem for consumers, he believes, is the disjointed approach government has taken so far to providing preventative and self-help information. In addition, he says, “We need to work with industry on system design.” Going forward, he says, law enforcement needs additional strengthening to add to the 2008 creation of the Police Central e-Crime. Brokenshire proposes, for example, a UK equivalent to the US’s new Internet Crime Complaint Center (IC3). Second, he notes that the UK’s existing specialist units need to work together and share information more effectively. In addition, he says, “We need to develop better triage of forensics as well, so that law enforcement is better able to respond to the intelligence and information that are reported to it.”One other key element for government, he articulates, is “We need to rethink the architecture of the way we develop IT systems surrounding e-government.” Huge databases such as the ID card register, he says, are large targets that “are very attractive to those who might wish to obtain that data”. Looking ahead ten to 20 years in the future, he envisions that we risk creating a “dangerous waste dump that may seem innocuous now”. | |
Cohen, however, thinks the existing laws need updating at the very least. “In many cases, we’re trying to apply US federal and state statutes that were written at a time when there were still rotary phones”, he says.
Still, Sommer points out that technology-specific legislation – like, for example, the Computer Misuse Act – tends to be difficult for juries to follow. Prosecutors aiming at computer-related crimes, he says, typically prefer to use laws like the Fraud Act (2006).
| "It’s so easy for criminals to hide their identities that they have little to fear in terms of getting caught " |
| Peter Gutmann |
“It was deliberately written so you could include the deception of a computer and the use of computer-generated articles in the course of deception. If you look at distributed denial-of-service attacks, yes, you could try to convict people under Section 3 of the Computer Misuse Act, but usually what happens is the DDOS attack is accompanied by something else, such as an extortion demand.”
In such a case, the Crown Prosecution Service is more likely to invoke the laws against blackmail, which juries already understand. Then, he says, “The fact that the evidence involves computers becomes a subsidiary element.” The downside: it becomes harder to keep any meaningful statistics on e-crime.
In his experience, Sommer notes, the law is only rarely a deterrent. Teenage hackers are either too young or too arrogant to understand that they can get caught. The bigger game is, as already noted, designed to operate outside today’s legal structure.
One thing that has improved, however, Sommer says, is technical knowledge in law enforcement circles. “It’s extremely patchy, but a lot better in parts than most people think. Where the big gaps are at the moment is in the training of the routine detective.”