Here and Now: Online Fraud Reaches “Epidemic” Levels

Here and Now: Online Fraud Reaches “Epidemic” Levels

Emergency hospital during Influenza epidemic, Camp Funston, Kansas - NCP
http://commons.wikimedia.org/wiki/File:Emergency_hospital_during_Influenza_epidemic,_Camp_Funston,_Kansas_-_NCP_1603.jpg

It’s difficult to determine when, exactly, the first bank robbery took place in the United States.

Some historians claim it was the Clay County Savings Association in Liberty, Missouri, on 13 February 1866. Other sources suggest it was on March 20, 1831 when James Honeyman and William J. Murray emptied the vault and several safety deposit boxes at the City Bank of New York.

As an IT security professional, the Honeyman and Murray event is important to me, not just for the amount of money that was stolen ($52 million in today’s dollars), but for the method used.

Their crime was silent and effective. No alarms to bypass, no guard dogs to avoid, no cameras to hack into. The robbers used a copied set of keys, enabling them to let themselves into the bank and lock the doors while they stole as much money as they could carry.

All historians can agree, however, that the late 19th Century saw a veritable epidemic of bank robberies, a plague taken very seriously by law enforcement and deeply affecting those people whose bank just got hit.

Since 1831, security folks have addressed the bank robbery epidemic by innovative thinking, creative products and better policy & procedures for securing large sums of money.

In the 183 years we have had to work on the security problem of bank robberies, monetary losses are way down, according to the FBI.

Then in 1981, someone somewhere decided to put your money on the Internet.

Today online fraud is a gigantic problem, and still growing. Online fraud cost U.S. online retailers $3.5 billion last year, according to payment processor CyberSource.

Cyber security professionals have had 32 years to apply innovative thinking, creative products and policy & procedures for securing large sums of money online – less than 1/5 of the time we’ve had to figure out how to prevent physical bank thefts. So if history is any indication, we are sitting at the “epidemic” level of online fraud.

It’s quite possible that even in our lifetime we will not hear the FBI say that, “online fraud monetary loss are way down.”

I don’t have the luxury of telling my clients (or my boss) to “Relax, we have another 151 years of billable time to fix this online fraud issue.” Individuals and organizations expect IT security solutions now.

In the IT security world we must be better, faster and more efficient, simply because there is more at stake. A single flaw in an online system can cause hundreds of millions of dollars in damage to a business or government.

It was horrifying to learn details of the Reserve Bank of Australia been hacked in 2011. I did not take solace that the official explanation was “systems were infected by Chinese-developed malware searching for sensitive information about the G20.” I instead asked myself “Could the Australian currency market have been manipulated by this infiltration?”

An attack on Toronto law firms that successfully penetrated the Treasury Board in Canada used a similar excuse; “Systems were infected by Chinese-developed malware searching for sensitive information about the Saskatchewan Pot Ash Corporation.”

Many people celebrate the idea of an open and free Internet where information flows freely and, in most cases, anonymously (NSA spying not withstanding). My issue is when money is gets caught up in this. It should not flow freely and anonymously, there needs to be a compelling business reason and authorization for moving money across the digital pipelines.

Russia, China, Ukraine, Germany, South Korea, Romania, India, Taiwan and Brazil make up 51% of the hostile network traffic arriving at your firewall. Even though the U.S. accounts for the highest amount of hostile network traffic (21%), most North American companies need to interact with customers located in the U.S.

But by building some firewall rules, purchasing an appliance, or properly configuring networks, most organizations could eliminate 51% of network attacks from other part of the world.

If there is no compelling business reason to accept network traffic from outside North America, why do you?

Even if you need to do business in those countries, there are ways of establishing trusted third party intermediaries, or Virtual Private Networking solutions that can be implemented to safely interact with partners located in those countries.

In the Small and Medium Business (SMB) market, where I’m actually implementing network security solutions, we have seen dramatic decreases in attempted network penetrations. When we use our firewall rules to filter countries and add robust, cloud based anti-spam, managed anti-virus and 24/7 monitoring, I’m confident we are delivering enterprise level security to SMB customers.

It simply makes sense, especially when money is concerned, to realize that your network should not be connecting to an IP address located in the Middle East, if there is no good business reason for it to be doing so.

Ian Trump is a Cyber Threat Intelligence Analyst for Paradigm Consulting Group with 15 years of experience in IT security and information technology. With a diverse intelligence background from the Canadian Forces and RCMP, Ian’s security skills have helped secure global companies from cyber-attacks. His many projects include being the lead architect on the Canadian Cyber Defence Challenge and serving as a board member and Treasurer for Canada’s largest hacker space.