Productivity Tools for Cybercrime

Stealing ten million dollars a few hundred dollars at a time used to be too labor-intensive to be a great business. Not anymore. The Internet and advances in semiconductor technology are revolutionizing theft and fraud. Thieves can now steal tens of millions of dollars at very high profit margins from low-value targets--at very low cost to themselves.

The recent indictment of a global hacker ring by federal prosecutors is a harbinger of cybercrime's future. The ring stole 160 million credit card numbers and sold the data for about $10 per USA card. The same group stole information on 800,000 bank accounts. More than $300 million was taken from three affected companies.

And now the news for cybercriminals is getting even better: a shadowy cybercrime underground is providing them with tools and services that will make them more efficient.

The productivity of low-level cyber-laborers can be staggering. No minimum wages here. The recent $45 million cyber-theft that targeted Bank of Muscat of Oman and National Bank of Ras Al Khaimah PSC (RAKBANK) of the United Arab Emirates spanned 27 countries. In ten hours, approximately $40 million was stolen in 36,000 transactions, or about $1,100 per transaction. The leaders of global crime ring that pulled off the heist have yet to be identified. Seven of the eight cyber-laborers who worked New York City have been apprehended. The eighth is believed to have died. The eight were able to steal $2.9 million in ten hours. The local gang kept around 20% or roughly $600,000. That comes out to about $7500 per hour per thief--more than one thousand times the city's minimum wage of $7.25 per hour. What a great alternative to flipping burgers.

One cybercrime's most important products is the botnet, short for robotic network, software programs that run on servers. The person in charge of the botnet is called a cracker. The goal of the botnet servers is to install malicious software on computers and turn them into zombie computers. Zombies take orders from the botnet servers. They may be commanded to send out spam, engage in denial of service attacks, or install software on other people's computers that enables them to track keystrokes. By tracking keystrokes, zombie computers can get access to user names and passwords linked to online bank accounts.

The computer in your home office may be one of these zombies--an active foot soldier in a cybercrime army.

The scale of these operations is difficult to comprehend. Microsoft recently broke up the Citadel Botnet Ring. The ring consisted of 1,500 botnet servers, the virtual equivalent of mafia consigliere that recruited and managed 1.2 million zombies. Microsoft claims Citadel Botnets were responsible for $500 million in thefts.

Large-scale, sophisticated botnet criminal rings have been quite expensive to set up. But now, criminal start-up entrepreneurs can do it on the cheap. They can buy software and services and get in business for as little as $595. They can even buy surplus zombies for pennies. Zombies under the control of the Zeus botnet were recently offered at $60 per thousand, or 6 cents per foot soldier. Payment in an anonymous Internet currency was required making it extremely difficult to identify the buyer or seller.

Service companies have sprung into existence to do the jobs computers can't. One of the techniques web sites use to thwart bots is captchas--the string of distorted letters users have to type in when setting up accounts on Internet sites. Because these distorted letters are difficult for machines to read, humans must do the job. Numerous sweatshops employing hundreds of workers have been set up in Asia, where low-wage workers decode captchas for less than a dollar per thousand. Some bots even contain interfaces that will automatically submit captchas to the sweatshops.

Shutting down a botnet ring is no easy task. One technique is to get court orders to disable botnet servers. When authorities in Panama and the Netherlands took down the Grum botnet that was primarily employed in sending out pharmaceutical spam emails from their countries, the cybercriminals brought up servers in the Ukraine, a safe haven for cybercriminals, to carry on their work. Another technique is to use "sinkhole" servers that can block botnets from getting access to the website they are trying to attack. Sinkholes can be used to discover zombie computers and notify their owners to disinfect them or take the infected computers offline.

Rapid technological advances are creating opportunities to expand the cybercrime market. RSA, the security division of EMC, a multibillion dollar company, believes that one of the major industry trends is that cybercriminals will discover new ways to monetize non-financial data such as utility statements and medical records. Barclays recently determined that cyber pickpockets using mobile phones could compromise its new secure contactless credit cards when they brushed by the electronic wallets with mobile phones. Researchers at University of California--San Diego discovered that plastic keys in ATM's warm to the user's touch. Using a thermal camera to photograph the keypads and they could identify the keys pressed after ten seconds in 80% of the cases and using the size of the thermal footprint they could identify the key order in many cases.

The opportunities are endless.

Times have certainly changed from when the big heists took place in the physical world and crime almost paid. The gold standard in bank robbers, Willie the Actor Sutton, stole $2 million in his purported 100 bank robberies, about $20,000 per robbery--$30 million and $300,000 in today's dollars. Unfortunately for thieves in the physical world, the same technologies that make cybercrime so attractive have reduced the amount of cash behind teller windows and in retail cash registers. Today, the average bank robber gets only about $5,000 per heist--about $400 in Sutton's day. It is low-return and dangerous work that frequently leads to long prison terms. Thanks to technology, earning a good dishonest living in the physical world has become a lot more difficult.

The challenge is to get rid of cybercrime's Willie Suttons by making cybercrime so expensive that engaging in it is not profitable. This is very difficult to do, since automation and declining semiconductor costs are driving down the cost of cybercrime just as automation and declining chip prices drives down the cost of smart phones.

Combating automated cybercrime will require international agreements between friendly and less friendly nations. Even countries that are willing to deal with the issue may be unable to deal with the problems. The Ukraine, for example, lacks adequate laws, and the government needs to be staffed with knowledgeable computer scientists. In order to gain control in this haven for cybercrime in a timely fashion, Ukraine and other countries will require international support.

Better personal identification systems could raise the cost of committing cybercrime. A secure national identification card that made use of biometric information such as fingerprints and retinal scans would make it more difficult to steal identities. It is more difficult to impersonate me on a phone call that uses voice recognition as part of the authentication process, or at an ATM if the ATM can read my fingerprints.

Companies are going to have to invest more heavily in making their systems more secure--manufactures, utilities, service providers, and financial institutions. In the United States, we are still hampered by the legacy of the original bank credit card issuers who developed the existing system in the 1960's assuming there would be only modest levels of credit theft. They were concerned that if they made the cards too secure, they would slow market development. A completely new system will be required that will go beyond the idea of just adding pin numbers to current magnetic stripe cards. Broadly adopting the European chip and pin-type cards that have reduced fraud by over 50 percent would require extensive upgrades to the current system. Point of sale terminals and ATM's would have to be upgraded or replaced.

The world is only starting to take cybercrime seriously. As more and more individuals in countries that tolerate cybercrime acquire computer skills, the problem is going to get a lot worse. Billions will have to be invested, cybercrime law enforcement agencies will have to be expanded, and consumers will be severely inconvenienced in order to make automated cybercrime not pay.