Fighting cyber crime like it really matters

It is no exaggeration to characterise the theft of personal information as an epidemic. Personal information in digital form is the lifeblood of banking and payments, government services, healthcare, a great deal of retail commerce, and entertainment. But personal records―especially digital identities―are stolen in the millions by organised criminals, to appropriate not just money but also the broader and fast growing intangible assets of “digital natives”. The Internet has given criminals x-ray vision into peoples’ details, and perfect digital disguises with which to defraud business and governments.

Credit card fraud over the Internet is the model cyber crime. Childs play to perpetrate, and fuelled by a thriving black market in stolen personal data, online card fraud represents 70% of all card fraud in Australia, continues to grow at 30-50% p.a., and here cost over A$120 million in 2010 (see https://lockstep.com.au/blog/2011/09/27/au-cnp-fraud-cy2010). The importance of this crime goes beyond the gross losses, for some of the proceeds are going to fund terrorism, as acknowledged by the US Homeland Security Committee.

Yet there is a deeper lesson in online card fraud: it needs to be seen as a special case of digital identity theft. ID theft is perpetrated by sophisticated organised crime gangs, behind the backs of the best trained and best behaved users, aided and abetted by insiders corrupted by enormous rewards. No amount of well meaning security policy or user awareness can defeat the profit motives of today’s online fraudsters.

As the digital economy is to the wider economy, so cyber crime is to crime at large. And yet the e-business environment remains stuck in a Wild West stage of development: it’s everyone for themselves! There is no consistency in the gadgets foisted upon consumers to access online businesses and services; worse, most are flawed and readily subverted by hackers. We could build security deep into our transaction platforms to prevent identity theft, phishing, web site spoofing and spam―the requisite building blocks like digital signature toolkits and personal smart devices are now ubiquitous―but instead, almost all attention turns to user awareness. Yet education has reached its use-by date, rendered utterly obsolete by the industrialisation of cybercrime (see also https://lockstep.com.au/library/online_banking_review/obr-lockstep-200810-many-hand.pdf). Most everyone now knows they need a firewall and anti-virus software but they’re misguided measures when most identities are stolen in other channels utterly beyond the users’ control. The predominant technology neutral policy position of government and the banking industry has not fostered market driven innovation as hoped but instead has created a leadership vacuum, leaving consumers to fend for themselves.

To really curtail cyber crime we need the sort of concerted and balanced effort that typifies security in all other walks of life, like transportation, energy and finance. Car owners don’t fit their own seat belts and airbags as after-market nice-to-haves; bank customers don’t need to install their own security screens; bank robbers are not kept at bay by security audits alone. The time has come, now that we’re constructing the digital economy, to embrace intelligent security technologies that can actually prevent identity theft and cyber crime.