Cybercrime - not so high tech after all?
Jinfo Blog

By Tim Buckley Owen

Abstract

With news that Visa and Mastercard accounts may have been compromised and further alarm bells ringing about cybercrime, information professionals look to see where the risks are and what they can do about them. However, it seems that it's the low end of the technical spectrum where the biggest dangers lie and not with  young, technically literate criminals.

Item

News that Visa and MasterCard accounts may have been compromised couldn’t have come at a more opportune time for the European Commission, which has just announced that it is to set up its own cybercrime centre. But where do the risks of cybercrime actually lie, and what can information professionals do about it?

It was security blogger Brian Krebs who first raised the alarm about a breach at a United States based credit card processor. Sources in the financial sector were calling it “massive”, he said, possibly involving more than 10 million compromised card numbers.

As the story spread, it may have scotched any suggestion that proposals to create a European Cybercrime Centre were just another example of overreaching Euro-bureaucracy. To be established at Europol’s headquarters in The Hague from next January, the Centre will fuse information from open sources, private industry, police and academia – serving as a knowledge base for EU members’ police forces as well as assisting cybercrime investigators, prosecutors, judges and the private sector.

Social media will naturally be a key focus of its activities, but the announcement strangely failed to mention email – even though, contrary to what one might expect, this medium remains the more popular. A recent international survey from the polling organisation Ipsos reveals that, although social media may be catching up fast, 85% of people use the internet for emails, compared with only 62% for social networking.

So emails remain a potential risk – even if only of costly time-wasting, as the latest VBSpam report from Virus Bulletin shows. Speaking to the Register newsletter, VB’s Martijn Grooten reports that the recent decline in spam appears to have been accompanied by a reduction in the effectiveness of enterprise spam filters – some of which are ironically letting more spam through.

Further cybercrime misconceptions have been challenged by research from the John Grieve Centre for Policing and Security at London Metropolitan University. Commissioned by BAE Systems Detica, it found that most cybercrime is not committed by young, technically literate individuals but by older traditional criminals, who have profited from the deskilling brought about by the greater availability of “crimeware”, and who meld their cyber activities with traditional extortion, protection rackets and violence.

What’s true for the perpetrators may also be true for the potential victims. Commenting on the Visa and Mastercard breaches, Gartner’s Avivah Litan blogs that it may simply have been a case of taking over an insufficiently protected administrative account by answering its knowledge-based authentication questions correctly.

Much cybercrime seems to be middle- to low-tech stuff, then, it seems. If so, fighting it matters as much for the corporate information professional – gatekeeper to much of an enterprise’s incoming data – as it does to the techies.

« Blog