Underreporting and user error key problems in combatting cyber-fraud
Experts in a panel discussion at Kaspersky Lab yesterday outlined their concerns and frustrations in the fight against cyber-enabled fraud.
Participants in the Kaspersky roundtable discussing cyber-enabled fraud
Yesterday's fraud roundtable at Kaspersky Lab in London was an opportunity for experts to share their expertise on current trends in cyber-enabled fraud with the media.
The moderator of the panel, David Emm, principal security researcher at Kaspersky, invited a panel of experts to describe the current threat landscape, say who should be responsible for fixing it and then give their predictions for the future of fraud.
Kirill Slavin, general manager for the UK and Ireland at Kaspersky Lab, described a landscape in which campaigns such as Carbanak infiltrate bank networks and take full control, taking billions of dollars from hundreds of banks.
He said it was clear that cyber-criminals and traditional criminals were becoming one as the latter discovered how easy it was to rob banks in this way.
Charlie McMurdie, senior cyber-crime advisor at PwC, built on that theme, pointing out the cyber-criminals were increasingly resorting to physical means to gain access to networks. This involved compromising members of staff and sending out teams to reconnoiter sites.
She added that the underreporting of cyber-crime was leading to a situation where police would investigate a crime, which they thought involved only a small number of victims, only to discover far more were involved who, for one reason or another, didn't want to report it.
Lack of cooperation from the public was a point underscored by Tony Neate, CEO of Get Safe Online, who said that it was difficult to get the cyber-security message across to consumers and that “not much has changed since 1996”.
Often the victims of crime don't even see themselves as victims, even when their email or bank account gets taken over. In that context, trying to tell them about the newest virus to hit the web is a lost cause, he said.
Detective chief superintendent David Clark, head of the economic crime directorate at the City of London Police, said getting a clear picture of the “real threat” was difficult as the national bodies working on the problem only see about 20 percent of the incidents due to underreporting.
He agreed with Slavin that traditional organised crime was becoming cyber enabled. While the threat has no boundaries, law enforcement is forced to work within its jurisdictions. As a consequence he had concluded that law enforcement had little choice but to resort to crime prevention and disruption tactics rather than chasing the bad guys through cyber-space.
Professor Joshua Bamfield, director of the Centre for Retail Research, brought up the examples of TalkTalk and Tesco Bank. The damage to these companies was less about their financial losses and more to do with the damage that will have been done to their reputations.
The solution to cyber-crime according to the experts is educating the users. While denying that they were blaming the users, each of the speakers rattled off instances in which user error was a contributory factor in security failures.
Clark said that he didn't think cyber-crime was the sole preserve of the police, a point that McMurdie picked up as she explained how organisations were providing the manpower and expertise to investigate cyber-crimes against them in cooperation with a limited number of police.
The panelists were also in agreement that banks would increasingly challenge consumers who had lost money through fraudulent transactions rather than automatically refunding their money.
Banks are already giving free software to customers to bolster their security but Slavin questioned how long it would be before banks began asking customers, did you install that software? They would also be asking whether the PIN had been written on a sticky note on the credit card when it was stolen.
Decades ago in London, the specialist police team that dealt with bank robbery – known as the Flying Squad – would have to deal with about one bank robbery a day. Today, there's less than one per week in the entire country. Banks are far more secure than they used to be, but the criminals haven't given up; they've just moved online.