Last time around
The 'Enemy Within' is computer savvy
Notorious insider on trial
Sun Microsystems to axe jobs
And Gates retires to 'do good'
Microsoft: No critical updates for Win 98 and ME users (and soon-no support at all)
Windows Vista to torture home users
The OECD and Cyberfraud
The OECD has released an 8-page Policy Brief, Protecting Consumers from Cyberfraud that is worth a gander. As well as old favourites like spam, the report discusses phishing, spear-phishing, vishing, pharming, malware, keyloggers and spyware.
It also quotes an OECD report from 2005 that reiterated that no-one is immune from cyberfraud, as anyone can fall victim to ever more sophisticated online scams. The report also provides interesting EU data, reflected elsewhere in the world, to the effect that 90% of e-commerce is business to business (B2B), rather than business to consumer (B2C)- and poses the question as to whether that fact is attributable to consumer concerns about data security breaches and cyberfraud.
The Visa global security survey from earlier this year would appear to support that hypothesis, with consumers more fearful of data theft than terrorism.
The report is not news to anyone studying the issues religiously, but nonetheless it is a concise overview of the current situation. It also highlights an important issue: many victimized consumers have no viable, cost effective, legal recourse against cyber-criminals, and little hope of recovery. This realization will do little to engender trust in the Internet as a preferred means for doing business.
In China, banks have the upper hand
Reports (in Chinese) indicate that consumers in China who fall victim to cyberfraud must meet a reverse onus-and prove that the bank was at fault. Apparently, irate consumers have started an online campaign to try to get redress for their claims, and to publicize their cause: a potentially dangerous activity in China.
However, lest we feel superior in the west, it is by no means unheard of for western banks, most notoriously in the UK, to adopt a similar position, and force plaintiffs to effectively prove that banking systems were insecure or vulnerable, during the relevant time-frame, thus causing or contributing to their loss- while also denying plaintiff experts access to these very same systems to test their inviolability.
The cost of doing the right thing
Financial services companies that indemnify their clients for online fraud, may be feeling the pinch, according to this Reuters report, in the wake of the SEC (U.S. Securities and Exchange Commission) recent warning that ‘hackers based in eastern Europe are looting online brokerage accounts in the US in increasing numbers’.
TD Ameritrade Holding Corp. is the latest victim- it paid out $4 million in the third quarter to reimburse customers whose accounts had been hacked. Also hit was rival E*Trade Financial Corp.- recent fraud losses have skyrocketed, increasing by $18 million in the third quarter, for similar reasons.
Anti -virus companies I have interviewed in recent months play down the keylogger/spyware threat, as if it is non-existent, but in the real world, it still seems to be taking a bite out of consumers- and business that indemnify them against losses.
The hackers, as always, have found the easiest way in, and target investors who unadvisedly access their online brokerage accounts at public terminals- presumably at Internet cafes or the local Kinko’s. Such public terminals are often riddled with spyware and you should use them at your peril.
Remember, companies that will look sympathetically on your plight, and reimburse you, are vastly in the minority. They would also be within their rights to argue that you need to take some basic precautions to protect yourself- and your nest egg.
These companies are businesses, after all- not Mother Theresa, so don't push your luck.
Ex-hacker locates MySpace pedophiles- using their own names
In case you thought all online predators are extremely slippery, wily types, covering their tracks with miles of technology and offshore proxy accounts, think again.
Low hanging fruit still exists- convicted pedophiles plying their wares on MySpace, using their own names- and making contact with alarmingly naive teenagers.
Read the whole story, and then chat with your tweens and teens.
It seems many of them know full well that bad people exist on line, but nonetheless feel flattered by their attentions, or sorry for them, to the extent that they will agree to meet them.
Clearly, not good. The hacker, turned journalist in this high-stakes game of cat and mouse was no boy scout in his day- it's nice to see him using his considerable grey matter for the greater sprog good.
Who says hackers can't reform?
UK defendant loses appeal in multi-million pound HSBC online fraud case
This appeal case in the UK is noteworthy for two things: the appallingly bad security and incident response planning at a major financial institution- and the result.
The UK appeals court upheld a finding of guilt against a HSBC call center employee, who got 5 years in the first instance for ‘conspiracy to defraud'. A conspiracy charge is often the charge of last resort brought by prosecutors, when they don’t have much in the way of compelling evidence of guilt. It has an especially fraught history of use in the UK, having been used against IRA suspects, who were subsequently reprieved, after donkeys' years in prison.
The basic drift of the case, R. Paul Matthew Stubbs, is that Stubbs, the defendant, a lowly password reset clerk, surreptitiously reset a password to an AT & T client account, that was subsequently ransacked to the tune of 12 plus million STG, by persons with whom he had no known association, or indeed knowledge. No motive for this inexplicable act seems to have been put forward, and evidence about his whereabouts at the time the password was reset, was conflicted and by no means compelling, or at least not beyond a reasonable doubt.
There was evidence that cleaners answered the corporate phones that received password reset requests, and that there was a history of a recent serious fraud at HSBC, also involving password re-sets, and that the perpetrator of that crime may have been at large during this fraud. In addition, the 'expert' witness for the bank was arguably not so expert, and decidedly was not independent- being a bank employee.
Indeed, the bank’s investigation of a 12 million STG fraud was so deficient that it hampered the defence expert from carrying out an adequate investigation on behalf of his client: ‘the appellant's workstation had not been retained or imaged; there was no computer running the 2002 version of the Hexagon system which could be analysed; he had been provided with no information as to how the HSBC computers operated or produced the audit logs relied on by Mr Roddy; and he did not have the underlying data from which he could safely reach any conclusion’.
It appears quite extraordinary that this convicton stood, in light, alone, of the highly contaminated state of the crime scene.
However, the court found that ‘there was a solid evidential basis for the jury's decision to convict’.
It certainly doesn’t read that way. Let us, however, sincerely hope that I am wrong- and that this guy isn't the hapless fall- guy for a embarassing multi- million pound, unsolved bank fraud.
|
