Sunday, March 28, 2010

Because that's where the money is

Brian Krebs checks in with an excellent post comparing cyber crime to traditional crime. Krebs writes,
Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.
As weve discussed and Krebs points out,
Small wonder that the haul from cyber bank robberies has overtaken that of physical heists: Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.


Allison Rosburg said...

I have to agree with Krebs' stance that cyber crime has the potential to become a much greater danger than traditional crime. When it comes to cyber crime the explanations for why it more dangerous are the same for why the U.S. government now uses technical surveillance, rather than the traditional use of an intelligence agent.
When criminals or the government use technology they are able to cut out human ties. This makes it much less likely to identify the criminal or agent, and this often allows them to go undetected within the system. Cyber crime will only lead to less localized crime and more global crime. You now have the ability to steal from any company in any part of the world. If I am sitting in New York City on computer I have the capability to be robbing a company headquartered in Japan. There is no longer a way to contain crime to certain areas becuase the internet does not have these limitations.
Finally, I believe cyber crime to be more dangerous because they can involve many other people in their plot whereas with traditional crime there is usually a small group of people who must all come in contact with eachother. With cyber crime you can recruit people form all over the world to assist in your plot, and you can even plan it so they are uknowingly assisting you. For example, the crime rings, in which you are offered money to have stolen items delivered to your address, then you send the stolen items out of the country, so that a company is unable to trace all the stolen items to one address.
Cyber crime is not only increasing its range of accessiblilty, but it is creating a network of criminals linked by cyber crime. Many people who would never contemplate traditional crime because of the risks may become attracted to the less direct form of crime using technology, which is seen in these pack and repack programs where regular citizens offer to facilitate the criminals' access to their stolen goods.

Meg Luther said...

This posting made several interesting points. First, its assessment of the appeal of cyber attacks versus physical, living bank robberies or other traditional crimes astutely rationalizes the relative ease and anonymity of cyber crime. Cyber crime is by nature more stealth and, when attacking more susceptible targets such as small businesses rather than Fortune 500 companies with more resources to track criminals on the web, they are even more surreptitious, and, as the article points out, take far fewer physical risks when attacking from behind a computer screen.

We also discussed in class how even the larger companies in America, like Google, are susceptible to cyber attacks but, even though we now know that those attacks do happen and security measures are breached, those companies (large or small) are unlikely to make any kind of public report of those security infringements. Indeed, Google’s response to the attacks on their company at the beginning of the semester proved to be contrary to common practices of hushing up such attacks. For smaller businesses, the government could institute some kind of streamlined method of reporting security breaches, so those companies which do not have the resources to fight against cyber criminals could pass on that responsibility to an organization with better abilities to fight crime (if the government could not capably fight back or track those kind of breaches, they could also outsource that job to a private company in the US).

Christopher Newsome said...

Brian Krebs’ important conclusion is that there is no publicity on online bank heists. Our guest speaker, Richard Bejtlich mentioned the overhead costs that companies were willing to take on before addressing the issue. The lack of transparency here amazes me. Mr. Bejtlich described a firm that was fully cognizant of the theft, yet did nothing. These companies perceive the millions of dollars that are stolen from them quarterly as just an operating cost. This cost will always trickle down to the consumer. For example, I might not be receiving as high an interest rate on my money in the bank because the bank is trying to recuperate its stolen losses. Perhaps these businesses are unwilling to come forward and publicize information about these heists because they fear that the criminals will not be apprehended, and instead only garnering bad publicity for the firm. It might be rash to mandate that all banks and businesses report cases of cyber crime/theft, but there is something that needs to be done here. There was a time when bank robbers used to get away with heists, but increases in publicity and manpower slowly decreased the chances of success for bank robbers. With an increase in the publicity of the event, comes a call for accountability and justice: consumers will demand the punishment of those responsible for the crimes. In conclusion, the slow prodding of businesses to reveal their “cyber losses” will slowly bring about the clamor of the public for these cyber criminals to be brought to justice.