Companies make money from information – and so do the criminals

Companies make money from information – and so do the criminals
By Marcus Whittington, SentryBay’s chief operating officer

Published: May 7 2010 12:46 | Last updated: May 7 2010 12:46

Within 24 hours of the earthquake in Haiti, criminal gangs had switched from standard online scams to sending out e-mails purporting to be from aid organisations seeking donations for relief funds.

The most shocking thing about this is not its cynical opportunism, but the speed with which criminals can switch their activities to an unfolding human tragedy.

Online fraudulent activity is now sophisticated and able to exploit almost any situation in hours. The level of verisimilitude that online criminals have developed is astonishing.

Consider the theft of data from individuals via phishing. This involves the sending of fake e-mails to a user purporting to be from a legitimate organisation and soliciting sensitive information. Phishing relies on ”social engineering”, and as the Haiti example demonstrates, phishers continually adapt their approaches to snare unsuspecting users.

There are several key reasons for the success and growth of phishing:

● Phishing sites can be set-up in minutes by copying a real web page and sending out mass e-mails to a pre-purchased list.

● Phishing sites often take days or weeks to be closed down by a company (or relevant ISP).

● Until recently, there has been no effective solution that can protect web-based applications from phishing.

● And even experts can have a hard time differentiating a real site and its phishing twin.

Another, potentially more damaging example of this increased sophistication is key logging, where criminals use spyware to silently monitor user’s activity and steal data. Key logging is one of the most dangerous computing threats, because users and companies are almost always unaware that information has been stolen.

This sophistication is being driven by changes in the way the online criminals operate: hackers and their ilk are becoming more patient and persistent when looking for ways to steal personal data which they then use to set up fraudulent identities to apply for bank accounts, credit cards and loans.

A report from Lucid Intelligence, which tracks and records vulnerable organisations and attacks on individuals and businesses, says that the incidence of personal data being stolen and sold on the internet is rising dramatically and the prices asked for stolen personal data and passwords has increased. What was once the goal for hackers has become the first step in a much larger plan.

At the end of 2009, Lucid’s database held 138m occasions of personal data being sold on the internet. This data is either used to enable large scale fraud, or more likely, developed and sold on – creating a black market supply chain in stolen identities.

What does this mean for businesses?

We know that some of the world’s largest organisations are already vulnerable: staff casually surfing the internet or responding to phishing or scamming e-mails at work can unwittingly open a door that criminals can step through.

In particular, we believe that smaller financial institutions will increasingly fall prey to fraudsters because they lack the more stringent controls and policies that larger businesses must adopt.

This is however, preventable. There are three key steps every organisation could take straight away:

1. Audit processes internally to ascertain how employees are allowed to access online systems. Are security checks stringent? Do staff understand what phishing is and how to guard against attacks?

2. Implement anti-phishing and anti-spying software that guards against attacks in real time.

3. Set policy and enforce it. This may be via technology, educating the workforce or stronger measures but an unenforced policy is a waste of time – and a dangerous one.

Businesses too often take an old, out of date view of their enemy online. They still believe it is a bored teenager trying to crack anything marked “confidential”, or at worst, a disgruntled ex-employee with access to the company website because passwords have not been changed.

The truth is very different. If a business makes money from information, so can criminals. The greater the potential for profit, the more attractive that company becomes as a target.

Don’t expect to be immediately able to identify the threats these criminals can pose. And don’t think they move too slowly to strike at your operations. Such thoughts are tantamount to wearing a sandwich board proclaiming yourself invincible and daring anyone to a round in the ring.

Copyright The Financial Times Limited 2010. Print a single copy of this article for personal use. Contact us if you wish to print more to distribute to others.