IN CASE YOU MISSED IT

Lawlessness flourishes in cyberspace

This story was first published in The Straits Times on Dec 25, 2013

LONDON - It was tasteless, even gruesome, but very effective. Mobile phone owners in South Korea recently got a text message inviting them to click on an Internet link purporting to offer a video of the execution of Jang Song Thaek, the uncle of North Korean leader Kim Jong Un.

Yet those who did found not only no video but also had to pay 250,000 South Korean won (S$300).

While recent media attention has focused on the roles of government spies in sophisticated cyber operations, the reality remains that the biggest threat to online users comes from criminal activities.

These range from the venerable "Nigerian scam" that usually takes the shape of an e-mail informing a recipient that he has "won" an unexpected inheritance, which can be collected in return for a "small payment", to the planting of sophisticated software on computers that sucks out all personal information. So-called "smishing", or SMS plus "phishing", the fraudulent attempt to acquire personal details, is a variant that thrives on the rising popularity of smartphones.

There are no precise figures on the scale of the damage inflicted globally by cybercrime, but a report compiled in July by the Centre for Strategic and International Studies, a top US think-tank, and McAfee, an Internet security company, estimated total losses from theft of money and intellectual property, as well as work disruption, at "several hundreds of billions of (US) dollars" yearly, with about US$100 billion (S$126 billion) of this in the United States alone.

It is easy to see why this sort of crime flourishes. Contacting people for fraudulent purposes costs nothing: A staggering nine-tenths of the 160 billion e-mails sent daily are classified as spam, and of these about 16 per cent contain attempts to dupe recipients, according to Symantec, another security software vendor.

If only a tiny fraction of these succeed in cheating people, the financial returns are considerable.

Last week, a Nigerian couple was jailed in Britain for stealing £41,000 (S$85,000) and for preparing to steal a further £19 million using one of the oldest cyber scams in the book: an e-mail telling people they need to "re-confirm" their online banking details. The fact that these e-mails were crude made no difference: 2,439 unsuspecting Britons parted with their banking details.

It is also easy to hide identities online. According to a recent report from cloud computing provider Akamai, Indonesia has surpassed China as the originator of most fraudulent Internet activities.

But that may just be an indication that various criminal gangs are using Indonesian servers for their so-called botnet operations - the automated attacks that use a set of linked computers. The actual criminals are probably on another continent.

As more and more commercial activities move online and as new methods of money transfers are being introduced, including "virtual" currencies, the opportunities that cyberspace provides to entrepreneurial criminals to engage in illicit activities multiply.

And there is also the "Dark Web" where Internet sites set up specifically for criminal purposes usually lurk; it is a sobering thought that Google, the search engine most people use, indexes less than 1 per cent of the world's total online activity.

National centres to combat cybercrime have been pretty good at identifying cyber threats. But they find it difficult to spread this information to those who need protection.

Part of the problem is legal: Governments cannot discriminate between companies in providing them with intelligence information about new cyber threats. Corporations should be expected to pay for this service, rather than get it free, courtesy of taxpayers.

There is also the traditional problem of handling intelligence material: both sources and the knowledge itself require protection.

One of the biggest blows inflicted by US whistle-blower Edward Snowden on law enforcement efforts was his revelation of just how successful America's National Security Agency may have been in penetrating the "Dark Web" in pursuit of criminal gangs.

But the biggest problem lies with commercial firms themselves. Until recently, many banks treated cyber security questions just as stores treat shoplifting, or "shrinkage" as they euphemistically call it: a tedious, inevitable cost of doing business.

Security directors at banks and other financial institutions never sat on their companies' main boards and were seldom consulted. As a result, top businessmen are still largely ignorant about how vulnerable their companies are to cyber attacks and frauds.

And banks remain willing to compensate anyone who suffers from fraud and hush up the problem: That is far cheaper than admitting a vulnerability and risking potential litigation for negligence. The outcome is that it is hard to know how big the problem is.

Still, the coordination between governments and corporations is improving, mainly because the threat is expanding so fast.

The attacks on three big US banks late last year were twice as powerful as the denial-of-service attacks which brought the entire northern European country of Estonia to its knees in 2007.

And the attacks on South Korean banks in March this year included malware which, while successfully evading anti- virus products, inserted a "time bomb" designed to take out all computer systems at the same time.

jonathan.eyal@gmail.com

This story was first published in The Straits Times on Dec 25, 2013

To subscribe to The Straits Times, please go to http://www.sphsubscription.com.sg/eshop/