A recent Office for National Statistics (ONS) survey reported that one in 10 people are victims of cybercrime. Is this the watershed moment we have been looking for to change paradigms regarding active cybercrime reduction? Possibly, but doubtful.
By including statistics on exposure to computer viruses, the ONS survey exaggerates the number of incidents impacting people, as many of these outbreaks do not lead directly to a cybercrime. That said, we should not be waiting for cybercrime numbers to increase before beginning to act.
In 2005, banks in the United Kingdom finally decided to invest in Chip-and-PIN technology. This paradigm shift in handling physical credit card payments was difficult, impacting retailers and consumers alike. Infrastructure had to be replaced, and consumers were required to remember a separate PIN in addition to the one for their ATM card. When France had taken this plunge a few years prior, that country experienced a dramatic reduction in fraud. However, it was only once payment fraud in the United Kingdom reached a threshold that banks there decided something needed to be done.
Wind the clock forward, and U.K. consumers do not think twice about entering their PIN to complete a transaction – and physical card fraud levels in the United Kingdom are historic lows. Chip-and-PIN has been a success, driving physical credit card fraud levels down significantly (almost 40 per cent in the first year). Moreover, from 2008 to 2015, card fraud was down from 12.4p to 8.3p out of every £100.
But the news is not all good: Over this period, there was a dramatic shift of payment fraud into 'card not present' transactions such as e-commerce, mail or telephone orders. One reason for this trend could be increased volumes of e-commerce transactions, of which a consistently small percentage was naturally lost to fraud. Another could be due to the lack of a cost-effective alternative in cyberspace for reading PINs off secure chips, as can happen in the physical world.
The industry has responded with schemes like 3-D Secure, deployed by Visa, and MasterCard’s SecureCode, which serves as a replacement of sorts for PINs, requiring customers to provide additional passwords or hidden tokens that offer additional assurance to payment providers before approving transactions. Additionally, online fraud monitoring has grown increasingly popular for profiling users, payments and transactions, and flagging unusual activities before approving payments.
However, online merchants need to be careful, as any false positives arising from fraud screening (when a genuine transaction is rejected) could result in a loss of business or loss of sale of goods. Some merchants have taken to accepting the risk on certain transactions or carrying out their own fraud profiling in order to validate genuine transactions.
With the evolution of digital payments and the adoption of smartphones, the world of online payments changing again as secure mobile payments, digital currencies and alternative payment providers become more widely accessible. And despite the successes over the past decade in combating cybercrime, the online crime business is thriving and not going away anytime soon. We can learn lessons from history. When fraud risks are manageable and within a certain threshold, no major action is undertaken, as additional overhead costs to prevent the fraud may not justify the expense. However, at a certain point, levels of fraudulent activity become so high that action is required and the investment becomes justified to balance the risks experienced.
As this happens, over a period of time, fraud activity shifts elsewhere to take advantage of weaker areas that are not as well protected, perhaps because the costs to protect those weaker areas cannot be fully justified by those trying to reduce the risk. But there a significant effect to these decisions: Just as lightning finds the least resistant path towards the ground when it strikes, fraud continues to find other areas to exploit and opportunities to thrive.
The U.S. credit card industry is now at a point of inflection similar to where the United Kingdom was a few years ago. Fraudsters targeting point-of-sale machines and e-commerce payment providers, hunting for primary account data, have been successful in stealing bulk credit card data and using their proceeds to literally print credit cards and cash out either physically or online.
A watershed moment like the one the United Kingdom had in 2005 when credit card fraud levels rose above acceptable levels is coming in the United States, where banks and retailers are finally making the move toward Chip-and-PIN to reduce card present fraud. Ultimately, this approach will seek to further devalue the credit card number for fraudsters as a means of monetising stolen credentials.
Some observers say that once the U.S. card payment process has been locked down further, online fraudsters will need to find a replacement income stream. The big, and heretofore unanswered, question is where they will go next. Unfortunately, Chip-and-PIN has yet to be introduced in many other countries; however, further fraud monitoring and screening will likely reduce the ability for stolen cards to be used in countries where Chip-and-PIN has not been implemented.
Moving on from payment fraud, recent attacks in the healthcare sector are validating reports that healthcare data is three times more valuable than financial data. It is likely that data theft in this sector will continue to rise. However, monetising stolen healthcare/personal data will be increasingly more difficult to achieve compared to using stolen credit cards as the net on dark markets selling stolen data becomes more contained.
Email-spamming campaigns have been reduced but still plague internet-connected devices due to their simplicity and low barrier to entry – after all, it costs very little for fraudsters to send out millions of emails or social media messages, and they need only a small percentage of people to fall for their scams to achieve a worthwhile return on investment.
It’s possible that the new fraudster funding model will be through ransomware, which is already plaguing many computers, transforming vulnerabilities into profit. This software holds files to ransom, threatening to destroy an organisation’s data unless it pays up. However, apart from the ransomware bounty, little further value can be extracted from the fraud. Yet if the next-generation ransomware were to actually review, analyse and sift through the files being processed, more value from the contents of the victims computer could potentially be extracted and monetised.
Such a strategy would require an infrastructure to support and additional processes to orchestrate, which may not be worthwhile for the fraudsters if there is other low-hanging fruit to pursue. For now, the fire-and-forget approach with current ransomware attacks appears to be the most frictionless approach for fraudsters to take.
Revenues from online marketing and advertising continue to soar. For fraudsters, either becoming part of this industry legitimately or disrupting it could be a more silent path to profit. They may decide to compromise computing resources quietly (not advertising their breaches) and use them as a means for generating profit, converting compromised systems into armies of unwitting people to generate clicks, consume advertisements, raise social media profiles or use them to spread further attacks elsewhere.
Another relatively new fraud marketplace is the selling of compromised machines, which can then be used to support a combination of cybercrimes covering distributed denial of service, spam, click fraud and ransomware bots, or for more targeted crimes in which the victim inadvertently provides access to sensitive private data or intellectual property
Other fraud schemes becoming more prevalent: Attacks in the United Kingdom relating to phishing fraud (e.g., a fake email from an organisation’s CEO to its CFO to request an urgent payment transfer) are becoming increasingly popular. There have been similar attacks on companies such as private banks and law firms that hold client money – they have reported attempts to target cash under management through similar social-engineering techniques.
Moreover, since late last year, there have been reports of payment systems like SWIFT being targeted and successfully compromised. Earlier this year, there were attacks on one of the popular blockchain platforms and bitcoin exchanges.
It seems that online crime will continue to follow the money and attempt to disrupt legitimate payment processes or divert digital funds in order to take advantage of the next online crime wave.
The battle has not been lost, but it may never truly be won. The battlefield keeps changing and continuing to evolve; as one door closes, another is opened. On the positive side, doors are beginning to close on savvy targets as corporations advance their cybersecurity defences through additional awareness, monitoring and threat intelligence. Fortunately, knowledge sharing within industries and broader threat-intelligence activities are at their highest level in recent times. Moreover, cybersecurity risks have reached board-level awareness and companies are looking to understand their exposures and react and respond to the security-threat landscape that is now a reality for most.
Whether companies have the necessary resources, skills and focus to mitigate their security risks is yet to be seen. However, as we know, once levels of fraud reach a certain tolerance point, companies will dig deeper into their pockets and respond as part of the natural rite of passage for participating in the digital age.
The key challenge will be ensuring that companies avoid overspending in the wrong areas and losing focus on addressing what matters most to them. As anti-cybercrime experts begin to measure, categorise and capture cybercrime events, they ultimately will help the industry contextualise the results and enable organisations to focus on addressing the right things that matter most to them around cybersecurity.
Surveys such as the ONS study concluding that about 10 per cent of people are victims of cybercrime are the first step toward greater clarity about the problems we face so we can find appropriate solutions to address them. Let us not wait for the watershed moment in cybercrime to appear. Let’s get into the game instead of watching from the sidelines. Before the next wave of cybercrime inevitably follows and disrupts the flow of digital funds, we need to ensure that adequate due diligence and controls are being put in place to monitor critical processes and proactively detect frauds, ideally before they do damage.
Ryan Rubin is a Managing Director in Protiviti’s London office and leads the IT Security & Privacy practice.