Cybercrime 101

Abstract

Discover the ways in which cybercrime occurs in three realms: individual, business, and governmental. Learn what you can do to protect yourself and your organization.

Sample

During the 1920s and 1930s in the United States, there was a rather famous bank robber named Willie Sutton. He was called "The Gentleman Bank Robber" because of his demeanor and natty dress style. Ultimately, he was arrested. Recycling an anecdote from an earlier blog, the authorities reportedly asked him why he robbed banks. As the legend goes, he responded, "Because that's where the money is." As far back as 2009, an episode of "60 Minutes" on cybercrime and cyberwarfare interviewed Shawn Henry of the FBI. Now at CrowdStrike, Mr. Henry talked about a coordinated raid on the banking system in 29 countries through simultaneous withdrawals at ATM kiosks. This crime, which cost ten million dollars, was performed using stolen credit card numbers. To paraphrase Mr. Henry it would be "front-page news" if that was carried out with guns blazing. Hackers, then, are committing cybercrime across the Internet with techniques ranging from identity theft to stealing credit cards to stealing intellectual property in order to profit from their crimes, commit espionage, or for geopolitical and social causes.

Considering the credit card black market and the theft of information from major retailers, hotel chains, and restaurants, the value of the cybercrime grows dramatically.

For the victims-individual or corporate-the consequences are personal. When a criminal accesses someone's personally identifiable information (PII), financial information, identity, or personal health information (PHI) and uses it to carry out fraud, the effects have been likened to the sense of violation and mourning that matches being told they have a serious health problem. After a breach, businesses need to expend resources to close the vulnerabilities that the criminals exploited and (perhaps) compensate customers financially or with services such as Identity Theft Protection. They also suffer the intangible costs (we call this qualitative risk) of loss of customer trust and loyalty. Even if a company isn't charging for services (such as an information website,) the lingering "bad taste" of the cyber-attack stays with the consumers.

Victims of Cybercrime

Broadly, as in life, we can look at the victims of cybercrime in three realms: individual, business, and governmental.

Carried out against individuals, the purpose of the attack may be to gather PHI or financial information to carry out an electronic robbery. Alternately, it may be to commandeer the victim's system into a so-called Botnet and then use the victim computer for sending SPAM or for a Denial-of-Service (DoS) attack. Here, as well, the bad actors may be cyber-gangs, individuals, or nation-states.

Cybercrime against consumers takes on two forms, but the results are generally the same. An individual may have their financial information misused or their "identity" stolen. For example, criminals have stolen my credit card number to rent hotel rooms in Accra (the capital of Ghana) and someone once tried to bail a friend out of jail with my information. Obviously, the latter did not work out well for any of the criminals, either in custody or soon-to-be. A much tougher problem for individuals occurs when "identity theft" takes place and the criminals use someone else's PII to obtain a loan or perform some other action that appears on the victim's credit report.

Individuals can also be victims of personally directed cybercrime. Stories of cyber-stalking, cyber-bullying, and online harassment regularly appear in newspapers and on news websites. With the growth in use of social media, this has taken on a new importance.

Businesses must be concerned about the theft of their customers' information, whether that is account information, residential and email address, or payment data such as credit card information. Hacks that disclose PII and financial information have been in the news continually (it seems) since December 2013. Facing customers and the Internet, website defacement can prove an embarrassment (at the least) to a company, as can having their Internet presences brought down by DoS attacks. Responses to these attacks cost money and resources to fix. They also engender lack of trust amongst their customers.