Users Called ‘The Weakest Link’ in Online Security
LONDON -- Fighting e-crime requires cooperation among govt., industry and law enforcement, but consumers also have a hand in protecting networks, speakers said here Tues. at the E-Crime Congress 2005. Increasingly, sophisticated online criminals are less interested in “hacking for fame” than in “hacking for fortune,” said Graeme Pinkney, Symantec head of threat intelligence for Europe/Middle East/Africa. Consumers -- who often fail to outfit home PCs with crime-busting software and to take other steps against attacks -- are the security chain’s weakest link, but they can expect to be asked to play a more active role in e-crime prevention, said Alan Jebson, group chief operating officer for global bank HSBC.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Recent months have seen new species of e-crime, speakers said. 2005 will be the year of “pharming” rather than “phishing,” said technology analyst and Congress program dir. Simon Moores. Like phishing, pharming redirects users to phony sites, but targets multiple users at the same time, Moores said. Another new threat is theft of company, as opposed to individual, identities by obtaining corporate credit card numbers and other information, he said.
A particularly pernicious form of attack against banks involves “money mules,” Jebson said. Under the scheme, which emerged about a year ago, e-criminals advertise online for naifs with bank accounts looking for jobs with flexible hours. Once a mule is in place, the criminals swipe money from banks electronically and deposit it in a mule’s account. Mules then withdraw the funds and send them, usually via Western Union, to Latvia, Jebson said. As long as the money stays in the banking system it’s recoverable, he said. Once the mules withdraw it it’s harder to recoup.
“Botnets” and “zero day exploits” also are on the rise. Botnets, short for “robot networks,” colonize ordinary PCs which are then used to attack others, said Judy Baker, deputy dir. of the U.K. National Infrastructure Security Co-ordination Centre (NISCC). Zero day attacks exploit new vulnerabilities for which fixes aren’t yet available, she said, leaving companies racing to find patches. NISCC sees e-attacks growing more sophisticated, Baker said, as Trojans see more frequent use to inject malware into information technology systems; “social engineering” allows fraudsters to trick users into opening e-mails spoofing their pet subjects.
The HSBC Group had 18.9 million Internet registered bank customers in 39 countries at the end of 2004, Jebson said. Until the end of 2003, the bank thought it was safe from e-crime -- until phishing changed that, he said. The bank found new ways to authenticate e-correspondence but continued to deal with phishing somewhere in the world every day, he said. Despite warnings, many customers continued to disclose personal information and find themselves swindled, Jebson said. That upset the balance HSBC thought it had found between protecting customers’ accounts and making online banking comfortable for them.
HSBC has worked with customers, govt. and law enforcement to cut e-crime, Jebson said. But consumers remain the weakest link, and still don’t see their critical role. Besides banks like HSBC having to educate customers, he said, the industry at large must take a firmer line with those who don’t protect their PCs. There’s no reason why protective software can’t be sold bundled with a computer’s system, he said, but so far industry has chosen not to do so. He urged the audience to encourage Microsoft founder Bill Gates to take up the cause.