Editors Note: Protecting our computers and information from attack is becoming an increasingly dangerous and dodgy game in the Internet age. This article is the beginning of a series that will explore the issues surrounding fraud, identity management and computer security. I hope that you will find it informative and entertaining, and that it will help set the tone for more security-related articles and reviews.
The cost to business of online fraud is over $50 billion a year in the US alone. Fraud directly aimed at the online consumer is averaging about $5 billion a year.
Think about that. We attend the cinema and are treated to an advisory before the show about video and music piracy potentially benefiting terrorism, and the specter of the 9/11 attacks is never far from our minds. So where are those online fraud billions going? And what are we doing to stop them from funding criminals and terrorists?
The truth is that for a decade or more, the online financial industry, banks, credit card companies, payment gateways, merchants, wealth management agents and so on, have all had it within their power to eradicate the majority of online fraud. Online banking and card payment consumers are being attacked primarily through techniques called phishing, pharming, trojans and spyware, man in the middle (MITM) attacks, and social engineering. We will examine the specifics of many of these techniques throughout the series. What is most worrying is the progression and sophistication of the attack methods, the widening of the scope of these attacks to include targets other than large financial institutions, and the difficulty in apprehending the perpetrators.
In this series, we will explore many types of threats, and attempt to simplify the detail so that readers from all backgrounds can better understand what all the fuss is actually about. We aim to look beyond the headlines, which spout the usual advice about having multiple "strong" passwords and watching out for trojans and other malicious software. We will see how hackers ply their trade, and from there teach you how to protect yourself.
In this world, as with most others, knowledge is power.
A Wealth Of Data For The Taking
People surfing the net leave an incredible amount of personal information and profiling data around. This includes information about pages that they read, parameters they use to search, what they buy and download, places they visit, emails they receive and send, and people they chat with. The management and employees of an Internet Service Provider (ISP) have the potential to reap a huge amount of personal data if they were to violate their users' privacy.
Shopping online? The merchant site has the user's name and address details, and (usually) other marketing data from small questionnaires that are innocuously answered. That also includes all sites that are part of the online shop and delivery service.
And then there is the matter of the employees in the payment gateways, who verify credit card details. Another issue is the employees of the bank, who handle connection details, the administrators and staff that manage the bank's databases, and handle customer queries on accounts.
Combine so much data with personal identity management details, and it is actually possible to comprehensively steal the identity of an active online user. Considering the number of people who potentially have access to sensitive information, and you can see that this is a truly daunting challenge.
Identity fraud is a term that encompasses a wide variety of crimes perpetrated against the person. At first we will focus on the theft of personal data and subsequent financial loss, since these are the primary concerns for the ordinary online user. Later, we will look at strategies and computer software/hardware that is available to provide layers of defense that may protect us from certain types of attack.
Most banks with an online facility use a fully or partially transmitted PIN or password. This is your basic ordinary level security that has been the backbone of Internet security since its creation. That means that the user is requested to input either a full PIN, or individual digits from it; for example, you might be asked to enter the first, third and fifth digits from your six digit PIN.
Some banks are now engaging methods that create one time passwords (or PINs), and there is an increasing trend towards adoption of such techniques. That's particularly the case since the US Federal Financial Institutions Examination Council (FFIEC) set down 'guidelines' to financial institutions regarding minimum standards of security.