Logging on to cyber-crime
The old-fashioned bank heist is now just a few key strokes away - and almost invsible
BOSTON
Nothing seemed out of the ordinary when clients of the second largest bank in Holland logged on to the bank's Web site to access their accounts. The first time they entered their username and password, however, they received an error message. When they tried again, they were able to access their account, conduct their business, and leave.
What they didn't know was that the first time they were not actually at their bank site but at a mirror site set up by a hacker.
The mirror site took their information, e-mailed it to the hacker, then sent the clients to the bank's real site. A few hours later, the hacker went to the bank site and, using the stolen information, took five gilders (about $2.35) from each account - a sum most people would never miss. Doing this, the hacker was able to steal thousands of dollars, without the bank or its customers ever knowing.
Luckily, the hacker wasn't a real thief - just someone who wanted to prove that the bank's claims of impenetrable security were nonsense. All the money was returned. But his actions show the new kinds of crimes that are taking place online, especially as many businesses rush to embrace electronic commerce, without making sure their online security is strong enough.
"I don't think that we need to be so concerned about cyber-doomsday predictions," says Yael Sachs, president of Aladdin Knowledge Systems's Internet security unit. "But it's petty crimes like this one on a large scale that will impact our economies to a huge extent."
According to the Association of Certified Fraud Examiners, the average bank robbery stole about $14,000, while the average computer theft was more than $2 million. While the exact figure of financial losses due to cyber-crime is not known, most security experts interviewed for this article put it in the billions of dollars.
For instance, AT&T and MCI were forced to give 38,000 consumers credits and refunds worth $2.74 million in 1997 for phone charges they unknowingly incurred when Internet scam artists hijacked their computer modems. The scam occurred when the victims visited a porn site and downloaded a plug-in to watch a video. While they were doing this, a vandal program (a rogue application that executes automatically when a user views certain kinds of Web pages or opens an e-mail attachment) logged them off without their knowledge and redialed their modems to connect to a 900 number overseas, for which they were later billed.
In fact, cyber-criminals based in nations once a part of the Soviet Union are a growing problem for US businesses. In one recent case, two men from St. Petersburg hacked into a US bank's computer network and transferred $10.5 million from the bank's corporate accounts into accounts they controlled.
"There's a lot going on out there right now," Mr. Sachs says. "Many businesses are driving on the information superhighway at 200 miles an hour without a seat belt or an airbag."
"When I used to teach, I often told my students that if you want to steal $1 million, use a computer," says Harvey Kushner, chairman of the criminal justice department at Long Island University. "You get more, you're less likely to get caught, and if you are caught, you'll do less time."
Professor Kushner says that computers have changed the face of crime. Much crime means some form of physical danger for the thief, and normally doesn't result in much ill-gotten gain.
"But computers enable crimes of concealment and deceit. It doesn't require violence. Anyone with a computer and a little skill can become a cyber-criminal. Smart college kids sitting in their university dorms can steal enough money to pay for their education, for instance. Five dollars here, five dollars there. Unfortunately, they don't even think it's really stealing.
"And it's a real challenge for the police. For 20 years, we've been training people to fight crime in a certain way. It used to be that bookies would keep all their records on rice paper that burned easily in case of a raid. So police had to barge in before the paper could be burned, and they were taught tactics to do that. But these days, to find that same information, you have to learn how to take apart a computer disk, or follow a vague cyber-trail, often across continents, just for a local crime."
Kushner also says that Y2K is a real opportunity for cyber-criminals. The emphasis on solving Y2K problems means that important security concerns are being put on the back burner because of lack of funds, he says.
Another problem for those computer security experts is that many companies that are victims of cyber-criminals either have no idea that they have been robbed or are reluctant to make cyber-crimes public because it might hurt their growing electronic commerce operations.
But steps are being taken to combat cyber-crime. In December 1997, US Attorney General Janet Reno and law officers from several countries agreed to develop high-tech solutions to combat computer crime and to prosecute criminals who cross borders to rob banks or sell child pornography in cyberspace.
Then last November, the International Chamber of Commerce based in Geneva announced it was establishing a special unit to help companies around the world combat cyber-crime. The group works closely with Interpol to fight Internet crime. And the US Federal Bureau of Investigation has also established an elite unit to combat cyber-criminals and cyber-terrorists.
But Sachs says the best thing that businesses of all sizes can do is act to protect themselves (see article at right).
"People feel they have time. They say, 'We don't know anybody who has been hurt.' Well, I know lots of people who have been hurt," Sachs says. "Coming from a for-profit company, there is always the sense that you're just using scare tactics to promote your product. But people need to be aware of the scope and scale of the kind of activities taking place, or else they'll become victims as well."
*Part 1 on cyber-war ran June 24. Part 2 on cyber-terrorism ran July 1.