|
Article Excerpt
What we ... must confront today is an entirely new breed of criminal--one that transcends geographic boundaries or borders with a high degree of stealth and anonymity. We have witnessed the emergence of the professional Cybercriminal, a foe at home and abroad that continuously probes our critical infrastructure for weakness and vulnerability, in order to victimize the American public in a multitude of ways, and profit from our loss.
James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles. (1)
INTRODUCTION
The commercial use of the Internet came as an afterthought. The Internet's original designers aimed to create a communication system resilient in the face of a nuclear attack, not a secure network for business and consumer transactions. (2) A widespread use of commodity operating systems and software products delivering rich functionality but lacking security aggravated the problem. (3) Viruses, worms, and hacker attacks caused tremendous damage and made securing Internet communications and Internet-connected computer systems the primary concern of software vendors and information technology ("IT") professionals. (4) A patchwork of technologies and software products emerged to protect computer systems and to make the Internet suitable for commercial use. (5)
By offering an inexpensive global communication medium, the Internet enabled businesses to provide information and deliver innovative products and services to a much wider audience of consumers around the corner or around the world. (6) For retailers, moving mail order business to the Internet expanded their customer base and reduced their costs. (7) The financial industry, especially global banking and financial services companies, quickly recognized and leveraged the tremendous potential of the Internet. (8) Now any customer with an Internet connection can access bank accounts and execute transactions at practically any time and from any location. (9) The customer can use a broadband connection to the Internet, a dial-up, or a satellite link in some remote place or aboard a ship.
Ensuring the security of online transactions, however, is a challenging task. (10) The global nature of the Internet exposes online businesses to attacks by cybercriminals of all types from all over the world. (11) Financial institutions, merchants, and organizations storing data that criminals can exploit for illicit financial gains are among the primary targets. Therefore, these institutions and actors must ensure that their computer systems can withstand attacks of the most sophisticated and skilled intruders, including organized crime syndicates, terrorist organizations, and foreign government agencies. (12) At the same time, it is critically important for American society to secure online transactions, ensure consumer confidence in conducting business online, and protect Americans from being victimized at an increasing rate. (13)
This Comment illustrates how government regulation, criminal justice, private legal actions, and market forces contribute to the security of online transactions. Further, it argues that government regulation aimed at the prevention of cybercrime should be the primary focus of the efforts to improve online security. Part I explains that malicious hackers are becoming an integral part of organized crime and terrorist organizations. Part II provides an overview of various attack schemes used by cybercriminals.
Part III examines industry efforts intended to prevent cybercrimes through technological solutions and raising awareness of information security issues among business leaders, government officials, and consumers. The discussion continues with an overview of private legal actions where plaintiffs attempted to hold business organizations accountable for failing to secure their personal and financial information.
Part IV addresses the role of the government in improving the security of online transactions. In particular, the discussion shows that many cybercrimes were precipitated by an organization's failure to adhere to basic information security principles. Using financial institutions as an example, Part IV also shows how government regulation can force business organizations to maintain adequate security of their computer systems.
Part V provides a discussion of various approaches to securing online transactions. Ultimately, Part V concludes that government regulation and oversight, the deterrent effect of criminal prosecution, and the right to enforce through private legal action compliance with government-mandated information security standards may be the optimal way to improve the security of online transactions and prevent cybercrime.
I. CYBERCRIME: A GROWING THREAT
A. Hackers as a Part of Organized Crime and Terror Networks
An inherent lack of security in the Internet architecture and relative user anonymity make the Internet an attractive medium for extortion (14) and crimes involving theft of personal information for illicit financial gain. (15) According to a recent IDG News Service report, hackers have joined forces with organized criminal groups to engage in increasingly sophisticated criminal schemes operated exclusively for profit. (16) Although computer crime experts agree that most computer-related crimes go either undetected or unreported, (17) the Internet Crime Complaint Center recently reported
that the total annual amount of losses reported in 2006 was $198 million, compared with $183 million in 2005. (18)
Financial institutions are among the primary targets of cybercriminals. According to recent reports, organized crime groups have offered millions of dollars for help in breaking into financial institutions' computer networks. (19) The FBI has confirmed the existence of organized crime structures in parts of the hacking community, particularly in Eastern Europe, that function as criminal enterprises. (20) In such instances, hackers break into computer systems and steal data, while other individuals sell the data for profit to those who exploit the stolen data in order to gain unauthorized access to credit card, bank, and brokerage accounts of unsuspecting victims. (21) According to industry observers, the market for stolen identities has recently reached one billion dollars. (22)
The most alarming development in the area of information systems security is that terrorist organizations now perceive cybercrimes both as a source of financing for their activities (23) and as a new weapon in their arsenal. (24) For example, according to law enforcement organizations, the Irish Republican Army and the terrorists that plotted the foiled bombing of the Los Angeles
International Airport used identity theft to finance their activities. (25) Imam Samudra, the radical Muslim cleric and mastermind of the devastating 2002 Bali bombing attacks that claimed 202 lives, called for fellow Muslim radicals to take jihad into cyberspace and tap into online credit card fraud as a source of funding. (26)
Although some individuals still break into computer systems for fun, bragging rights, or as a prank, they do not pose nearly as much of a threat to the security of online transactions as highly motivated, increasingly sophisticated, well-organized, and well-funded groups of cybercriminals and cyberterrorists. (27)
B. Hacker Tools for Sale
Contrary to popular belief, most of the attacks perpetrated against computer systems do not require a high level of technical sophistication. (28) Many hacking tools, as well as legitimate computer programs that cybercriminals use for malicious purposes are freely available for download on the Internet, (29) while more sophisticated tools are offered for sale. (30) According to a recent study by IBM, attacks will likely increase in 2007 because cybercriminals organize networks dedicated to the production and commercial distribution of increasingly sophisticated malicious software ("malware") that is later used in criminal attacks on computer systems. (31) Additionally, Raimund Genes, the chief technical officer ("CTO") of Trend Micro, a security software vendor, contends that the revenue generated by the malware industry exceeded the twenty-six billion dollars earned by legitimate computer security vendors in 2005. (32)
The industrial production of malware will make it much more difficult for IT professionals to stay ahead of hackers in securing computer systems. (33) Gunter Ollmann, the director of security strategy at IBM's Security Systems unit, warned that the criminal malware infrastructure allows cybercriminals to target their attacks and build custom malware to be used against specific organizations. (34) This development increases the risk for high-value targets, such as financial institutions, payment processing companies, and big retailers. (35)
"Zero-day exploits" take advantage of newly discovered security vulnerabilities before software vendors issue patches for their affected products and, therefore, are especially valuable for cybercriminals. (36) In 2006, cybercriminals unleashed zero-day attacks on an unprecedented scale, raising serious concerns in the software development and IT industry. (37) But since it is legal to post information on the Internet about unpatched security vulnerabilities in commercial software products, law enforcement can do little to prevent the creation of code, which exploits these vulnerabilities. (38)
The next Section provides a brief overview of attack schemes that cybercriminals use to cripple computer systems and gain unauthorized access to information that may enable them to execute fraudulent transactions.
II. INFORMATION SYSTEMS SECURITY AND CYBERATTACKS
The primary goals of information system security professionals are to ensure the availability of computer systems and the data stored in them for authorized users, as well as to protect the integrity
and confidentiality of the data. (39) Any attack against a computer system affects at least one of these three major components of information security. (40)
A. Denial-of-service Attacks
Denial-of-service ("DOS") attacks are primarily aimed at disrupting the availability of computer system resources to authorized users, usually, by sending invalid data that causes the server software to crash or by flooding computer systems with invalid requests. (41) The increasing number of unsolicited junk e-mails, known as spam, can also cause a DoS by decreasing or denying availability of e-mail services to authorized users and by clogging their mailboxes with unwanted e-mails, thus interfering with the user's ability to send and receive legitimate e-mail messages.42 To launch distributed denial-of-service ("DDoS") attacks, cybercriminals, using malware installed on hundreds or even thousands of compromised computer systems, attempt to flood the victim's network with requests and disrupt access to the target Web site or to overload the victim's servers and cause them to crash.43
Even more dangerous is a distributed reflective denial-of-service ("DRDoS") attack, where the attacker uses compromised computers to send connection requests to many other computers on the Internet specifying the victim as the originator of the requests.44 This causes the computers receiving the requests to send replies to the victim's computer multiple times causing the victim's network to be clogged with their replies. (45)
DDoS attacks are not a kids' game anymore; they have become a weapon of choice for cyber-extortionists and unscrupulous businesspeople attempting to bring down competitors' Web sites. (46) The DDoS, and especially DRDoS, attacks are very difficult to investigate because of the difficulty in tracing them back to the attackers. (47) Nevertheless, in Los Angeles in 2004, the FBI executed the first arrests related to a large-scale DDoS attack used for commercial purposes in which two businessmen hired a team of hackers to bring down competitors' Web sites. (48)
B. Spare
In 2004, Microsoft founder and chief software architect Bill Gates predicted that spam would be gone by 2006. (49) Despite his prophecy, spam comprised up to ninety percent of all e-mails in 2006. (50)
IT administrators are constantly struggling to protect their email servers from an ever increasing volume of spam. (51) To bypass e-mail filters, spammers started using images instead of text in their e-mails. (52) To avoid detection, spammers often use compromised computers and unprotected wireless networks to send millions of junk e-mail messages. (53) Although modern anti-spam systems usually filter out around ninety-eight percent of spam e-mails, spammers ensure that a large number of their e-mails still reach users' mailboxes by employing automated spam engines to send out a huge volume of e-mails. (54)
Cybercriminals often use spam e-mails in various fraud and identity theft schemes to gain unauthorized access to financial accounts or for large-scale deployment of various types of malware. (55)
C. Phishing
As financial institutions and online merchants make their Web sites more secure, cybercriminals more often resort to relatively low-tech attacks, such as phishing. (56) "Phishing" refers to criminals' creation of e-mails and Web sites, designed to look like e-mails and Web sites of well-respected legitimate businesses, financial institutions, and government agencies--in order to trick Internet users into disclosing their financial account or other sensitive personal information (57)
Although software vendors add anti-phishing features to their products, cybercriminals change their tactics to stay ahead of the game. (58) More sophisticated phishing attacks may attempt to exploit vulnerabilities in a financial institution's or online payment services company's Web site in order to redirect the victim's browser to a malicious Web site while maintaining the appearance that the victim is still connected to a legitimate Web site. (59) Other phishing attacks may involve the use of deception to install spyware on victims' machines in order to steal sensitive personal information. (60) Attackers also started using unique URL's for each phishing e-mail they send to make it more difficult to identify and
block the attack. (61) "Spear phishing" is another type of phishing attack where attackers target a specific group of Internet users, for example employees of a particular financial institution, in an attempt to steal their access credentials. (62) Criminals often use automated phishing tools, spam engines, and botnets in their phishing attacks. (63)
Despite extensive efforts by software vendors to improve the security of their products, phishing is still a serious threat to the security of online transactions. (64) Victims of phishing attacks suffer financial losses, and must spend time and money rebuilding their credit and good name.
D. Zombies and Botnets
Compromised computers with installed malware remotely controlled by cybercriminals are usually referred to as zombies. (65) A botnet is a group of zombies controlled by a particular hacker or criminal group. (66) The owners of zombie computers are not usually aware that their computers have become part of an illicit network and a tool in the hands of cybercriminals. (67)
Botnets have become a very important and extremely dangerous weapon in the cybercriminals' arsenal because of their concentrated power, which criminals can use to perpetrate various malicious acts on the Internet. (68) Botnet attacks...
|
