Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Cybercrime Wave That Wasn't

samzenpus posted more than 2 years ago | from the online-boogeyman dept.

Crime 85

retroworks writes "Dinei Florencio and Cormac Herley write that cybercrime depleted gullible and unprotected users, producing diminishing returns (over-phishing). They argue that the statistics on the extent of losses from cybercrime are flawed because there is never an under-estimation reported. Do they underestimate the number of suckers gaining internet access born every minute? Or has cybercrime become the 'shark attack' that gets reported more often than it occurs?"

cancel ×

85 comments

Sorry! There are no comments related to the filter you selected.

First Post (-1)

Anonymous Coward | more than 2 years ago | (#39699119)

First Post

Flavour of the month (5, Informative)

AmiMoJo (196126) | more than 2 years ago | (#39699125)

Ever notice how when there is a notorious crime reported suddenly lots of other similar crimes start happening? Well, they don't suddenly start, they were happening before, just not being reported. It isn't over or under reporting in the sense that our stats are wrong, only in the sense that the mass media does a shit job of conveying factual information to the public.

Defences are improving, people are getting more savvy. Obviously crime levels will go down. Back in 2002 XP didn't even have its firewall enabled by default. Everyone hated Vista for being locked down and hurling UAC prompts at the screen all the time, but it definitely worked.

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39699155)

Ever notice how when there is a notorious crime reported suddenly lots of other similar crimes start happening?

Except when there is actually a new "crime" (or at least a new way of falling victim to it...).

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39699201)

Just wait till IPv6 becomes standard and users will have to take an active role in personal firewalls....

Doesnt history repeat itself?

Re:Flavour of the month (2)

locofungus (179280) | more than 2 years ago | (#39699437)

Just wait till IPv6 becomes standard and users will have to take an active role in personal firewalls....

I don't see why you would think this would be the case.

Pretty much every current IPv4 router[1] comes by default in a NAT configuration. To enable bridging, port forwarding etc generally requires changing settings on the router.

There's absolutely no reason why IPv6 routers can't have a stateful firewall that blocks incoming connections by default. It's LESS difficult to do than NAT as there doesn't need to be packet inspection etc for things like FTP.

[1] My cable modem operates in a bridged mode. I'm pretty sure I didn't change that but I could be wrong. It was a while ago now that I set it all up.

Tim.

Re:Flavour of the month (1)

heypete (60671) | more than 2 years ago | (#39699715)

There's absolutely no reason why IPv6 routers can't have a stateful firewall that blocks incoming connections by default. It's LESS difficult to do than NAT as there doesn't need to be packet inspection etc for things like FTP.

Indeed. My WRT54GL (running a customized version of TomatoUSB with IPv6 and an OpenVPN server) handles IPv6 in precisely that way, with DROP being the default.

For the few home IPv6-capable servers that I run that need incoming access from the IPv6 internet, the router's web interface allows one to open specific ports for specific IPv6 addresses. No NAT required, which is nice: I can have several servers running on the same port with no issues.

Re:Flavour of the month (1)

RulerOf (975607) | more than 2 years ago | (#39699801)

he router's web interface allows one to open specific ports for specific IPv6 addresses. No NAT required, which is nice: I can have several servers running on the same port with no issues.

The question I put back to that statement though: Since NAT is a pseudo-firewall for IPv4, applications running on computers leverage some IP trickery (NAT traversal techniques) or dynamically map ports via UPnP to achieve connectivity. Those techniques aren't the classical "allow X past firewall" setting though, they merely give the traffic somewhere to go instead of bouncing off of the router's TCP stack.

How does one achieve the connectivity that full IPv6 *should* have (but won't because the clients won't talk to the border firewall), which is identical to the effective connectivity and security that we have via IPv4 with UPnP today?

I would really like to know, because the one and only time I got IPv6 working right on my network, I shut it right the hell down when I ran a web-based port scan :-(

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39699867)

You open the port. Simple huh? The application doesn't need to talk to the firewall to do UPnP anymore, since you don't depend on NAT (which provides no security whatsoever by the way).

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39699981)

Well, NAT by default drops all incoming connections, so that's something. But if you have your network configured so that clients can request the NAT-box open ports for them automatically, you lose that.

Re:Flavour of the month (1)

TheLink (130905) | more than 2 years ago | (#39700273)

NAT by itself doesn't drop all incoming connections.

If there is no firewalling an attacker with access to the adjacent network "outside" the NAT router can access the internal network (assuming knowledge of the internal IP addresses - which isn't that hard). This risk is normally quite low, compared to the risk of someone "out there" trying to get in.

But thinking they can't get in just because there's NAT and they're the other side of the world is not true. Hackers have been able to subvert ISP routers and make packets take strange paths.

Re:Flavour of the month (0)

TheRaven64 (641858) | more than 2 years ago | (#39701149)

NAT by default drops all incoming connections

No it doesn't. NAT by default performs address translation. The stateful firewall drops incoming connections by default, NAT translates the permitted ones to a given address. There are consumer NAT boxes that include the concept of a 'default host' so any inbound traffic goes to that machine. There are others that include a firewall that drops inbound traffic.

The situation is more or less the same for IPv6. A firewall may default to not allowing any incoming connections, to only allowing incoming connections to a single machine, to only allowing incoming connections on a set of useful ports, or to allowing all incoming connections.

Re:Flavour of the month (0, Insightful)

Anonymous Coward | more than 2 years ago | (#39699219)

Ever notice how when there is a notorious crime reported suddenly lots of other similar crimes start happening? Well, they don't suddenly start, they were happening before, just not being reported. It isn't over or under reporting in the sense that our stats are wrong, only in the sense that the mass media does a shit job of conveying factual information to the public.

Yeah like whenever a lame duck is trying to get re-elected there's a "white on black" shooting that wasn't really racial in nature and wasn't really done by a white guy.

Or whenever a bullshit pointless war isn't going well suddenly there's a white girl gone missing that we have to hear about for five weeks straight.

They say "commercial speech" is not as thoroughly protected by the Constitution as political or personal speech. Can we leverage that to pass a new regulation for media outlets: they shall not report about a criminal case until a trial has been held and a verdict issued and shall not report on the same event for more than one week. Just for the sanity of what few rational people managed to stay rational in the face of a psychotic pop culture.

Never saw anything more pointless than these hundreds of last-minute play-by-play updates on every little thing as if it was a sports event. "This just in! Zimmerman is asleep in his cell block! OH WAIT BREAKING NEWS! He appears to have woken up, scratched his rump, and gone back to sleep! MORE BREAKING NEWS! It's morning now and he's awake. Yes folks, he's AWAKE! Wow! Let's hear what our analysts have to say..."

Re:Flavour of the month (-1)

Anonymous Coward | more than 2 years ago | (#39699357)

Oh noes, he said something true that I don't like. Quick, mod it down! If you just mod hard enough eventually 2+2 will equal 5. That's so much more productive and mature than learning to cope with it equalling four. It's so much more useful than posting a response too.

Really you idiot mods don't see the pattern here? Obama is a Democrat, the party of group identity and victimhood. Obama is doing badly. So suddenly a "white" (really Mexican) guy shoots a black guy, something that unfortunately happens a lot especially when you consider both groups have gang members. But this one is suddenly extra-super-duper newsworthy!

Bush is a Republican, the party of religious fundamentalists, gun issues, and "family values" whatever that means this year. Bush was starting to look stupid when 9/11 had too many unanswered questions (involving physics), then Iraq and Afghanistan turned out to be the new Vietnams, more pointless expense and loss of life. So hey suddenly a white girl named Elizabeth Smart gets kidnapped. That's also something that unfortunately happens a lot, but by God this one is somehow totally special and needs weeks and weeks of minute by minute coverage.

You seriously don't see a pattern here? Or you think I am wrong and being a gutless coward with no position of your own, you think modding me down is the very finest way you can handle that? It's not just Slashdot. The _world_ is being ruined by petty little tyrants who think every system is the instrument of their impotent personal outrage.

Please mod this informative (seriously) (2)

RulerOf (975607) | more than 2 years ago | (#39699827)

Oh noes, he said something true that I don't like. Quick, mod it down! If you just mod hard enough eventually 2+2 will equal 5.

You were modded down because you're an asshole, posting off-topic. I humbly request anyone with a spare mod point to make this troll's day:

2+2 = 5

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39700593)

The media wants news to be interesting. The Zimmerman case is ideal: it gets people pissed off on both sides of it. People are arguing with their neighbors and staying glued to the TV set for updates.

Meanwhile, the Republican party just settled on Mitt "The Least Interesting Man In The World" Romney as their nominee. That's not interesting; the incumbent is going to destroy him. FDR had to campaign harder for reelection. It was a nice media spectacle when there was a race between him and Rick "Nehemiah Scudder" Santorum, and they played that up for all it was worth. Now that's over. (Further: are you seriously in support of a two-year-long 24-hour Presidential campaign cycle? It's April, the election is in November, and I'm already sick of the coverage.)

Re:Flavour of the month (1)

JasterBobaMereel (1102861) | more than 2 years ago | (#39699327)

Two issues:

  1 : the crimes were reported, as fraud, identity theft, etc ... just not categorised as Cyber Crime ...

  2: People do more on-line now and so the crime that does happen costs them real money, not just inconvenience and so gets reported

Vista was rubbish at security, Microsoft finally woke up to the don't run as root model, then implemented it in a very visible way that annoyed the user into not reading the prompts ... so they accepted everything (including the scumware..)

Win7 seems to have implemented it in the right way, ask when it's important, once, so it's unusual to see a prompt and so people actually read it ...

Re:Flavour of the month (1)

RulerOf (975607) | more than 2 years ago | (#39699855)

Win7 seems to have implemented it in the right way, ask when it's important, once, so it's unusual to see a prompt and so people actually read it ...

With Windows 7, I concur that Microsoft did do it right, but it's not that it asks any less frequently per se, it's just that certain things are automatically elevated without a UAC prompt. There were some nifty little tricks that abused that at first, because rundll32.exe was one of the auto-elevated applications.

What was really obnoxious about UAC in Vista (that lead me to turn it off) was that even running MMC, by itself, would cause a prompt. This was annoying as all hell when you were launching it to manage a remote server---an activity which UAC cannot really be employed to prevent malicious behavior, as UAC only protects local resources.

Re:Flavour of the month (1)

AmiMoJo (196126) | more than 2 years ago | (#39701267)

Microsoft finally woke up to the don't run as root model, then implemented it in a very visible way that annoyed the user into not reading the prompts ... so they accepted everything (including the scumware..)

It was, unfortunately, necessary.

Back in the XP days legit software did a lot of bad things. Writing to the registry, shitting all over the filesystem, changing OS settings, installing drivers, making itself start at boot time and so forth. Microsoft could have just broken all that but then people would have been pissed off that none of their software worked. Instead they came up with UAC that annoyed the user in the hope that application developers would change their habits and try to avoid generating them.

Some people will always click "yes" to anything, but the majority seem to understand that when they get random UAC prompts and were not actually trying to install something themselves it is probably bogus, and gradually not having any at all during installation of most software is becoming the norm.

Re:Flavour of the month (-1)

Anonymous Coward | more than 2 years ago | (#39699469)

Re:Flavour of the month (0)

Anonymous Coward | more than 2 years ago | (#39699679)

This is much like buying a new car. It's after I buy a new car that I start noticing all of the other similar cars on the road. Did the number of cars on the road change? No. It's just I am now more aware of that make now that I own one.

Smarter and Smarter (2)

Tempest451 (791438) | more than 2 years ago | (#39699127)

I think every generation will get more computer savvy, making it harder for 2-bit phishers or lazy hackers to cause any real damage.

Re:Smarter and Smarter (1)

MacGyver2210 (1053110) | more than 2 years ago | (#39699409)

How do you phish with only 2 bits? That must be a miracle of coding.

Re:Smarter and Smarter (2, Funny)

Anonymous Coward | more than 2 years ago | (#39700015)

payphones

Re:Smarter and Smarter (1)

TheRaven64 (641858) | more than 2 years ago | (#39701205)

One is the evil bit.

Re:Smarter and Smarter (1)

History's Coming To (1059484) | more than 2 years ago | (#39700547)

Depends on your definition of "computer savvy" - as we get more layers of UI people will generally have less and less of an idea what's going on, just look at how many people equate "windows" and "computer". People will hopefully become more resistant to social engineering approaches like phishing, but the use of a computer is almost coincidental, these types of scams have been going on since the telegraph system and probably before. Gullible people will always fall for something.

Over-Phishing (5, Funny)

SJHillman (1966756) | more than 2 years ago | (#39699131)

Let's continue using the phishing analogy

Fly-phishing: Phishing involving air travel
Saltwater Phishing - Phishing from overseas
Weekend Phishing - A leisure time activity that's used more as an excuse to drink beer than to scam people
Phishing Boat - A scammer's base of operations located on a vessel in international waters
Phishing Rod - Viagra scams
Phishing Line - Like a pick-up line, but for money instead of sex.

Re:Over-Phishing (1)

Canazza (1428553) | more than 2 years ago | (#39699407)

No no no, Viagra Scams are Phishing Tackle.

Re:Over-Phishing (1)

RulerOf (975607) | more than 2 years ago | (#39699871)

So then is a phishing scam involving trousers called a Tackle Box?

Re:Over-Phishing (2, Funny)

Anonymous Coward | more than 2 years ago | (#39700227)

So then is a phishing scam involving trousers called a Tackle Box?

no you wont see Tackle Box phishing scams until Viagra for women.

Re:Over-Phishing (1)

MacGyver2210 (1053110) | more than 2 years ago | (#39699435)

Somehow I see this taking a sidestep into trolling(as in fishing trolling, not "trolling is a art" trolling).

Re:Over-Phishing (1)

SuricouRaven (1897204) | more than 2 years ago | (#39699527)

Trawl Phishing: Sending phishing emails in bulk without targetting, in the hope someone will be dumb enough. The classic approach, as opposed to spear phishing.

Re:Over-Phishing (0)

Anonymous Coward | more than 2 years ago | (#39699533)

Saltwater Phishing - Phishing from overseas

No, no, no! That's CLEARLY Phishing from international waters to evade the law!

Re:Over-Phishing (1)

Inda (580031) | more than 2 years ago | (#39699685)

Wow. With all those methods I could probably catch a Phish this big:

| - - - - - - - - - - |

Lameness filter encountered. Post aborted!
Filter error: Please use fewer 'junk' characters

Slashdot lameness, if that's really a really real word, should be la la la space filler.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc eu dolor arcu. Mauris vestibulum venenatis dui. Nullam eu neque dui, et vulputate neque. Mauris dictum, ipsum vel suscipit bibendum, augue lorem semper sem, eu tempus justo magna at justo. Nullam consectetur aliquam arcu, eu scelerisque mauris posuere ac. Donec at eros est. Suspendisse euismod nisi a felis porta sit amet pellentesque ante porttitor. Aliquam eu sapien eget ipsum euismod pulvinar. Morbi at congue orci. Phasellus tincidunt sapien varius nulla ultricies vitae vulputate tellus accumsan. Mauris lobortis eros tincidunt arcu porttitor eu pharetra odio pulvinar. Nulla nec arcu augue, luctus volutpat risus. Mauris tempus, nulla ullamcorper porta consequat, urna nisi blandit quam, in molestie nunc tortor et tellus. Vestibulum dolor arcu, sodales rhoncus varius ut, commodo et turpis.

Suspendisse in massa vitae erat vestibulum aliquet. Maecenas sed enim ac lorem tristique volutpat a quis nibh. Praesent pellentesque pulvinar convallis. Donec ornare convallis facilisis. Nullam scelerisque dignissim nulla a dapibus. Sed non mi vitae odio lobortis pulvinar eu sed purus. Donec volutpat tempor viverra. Mauris consequat sollicitudin nulla nec rhoncus.

Re:Over-Phishing (1)

FingerDemon (638040) | more than 2 years ago | (#39699693)

Don't forget "Phishing License" - State sponsored phishing for gov't or corporate secrets.

One born.. (0)

Anonymous Coward | more than 2 years ago | (#39699145)

and two to take em. Its not easy out there you know.

well, (0)

Anonymous Coward | more than 2 years ago | (#39699149)

considering i've had to have a new credit card sent out every year due to fraud tells me there's a problem (my bank is really good at detecting fraud - i never see the charge - it's caught as it happens)

Re:well, (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#39704621)

Maybe it's time to virus scan that computer you keep using for your online banking...

A lot of cybercrime goes unreported (0)

Anonymous Coward | more than 2 years ago | (#39699161)

Imagine the backlash and financial damages for a company under any compliance regulation. The IT engineer/admin(s) will face tribal council and one will be blamed for it. They probably won't have a career in IT again.
Now imagine of the IT dept keeps their mouth shut and brushes it under the rug. No one will know, no one will need to know.

UNPOSSIBLE! (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39699169)

Cybercrime is the new terrorisim! The new war on drugs!

Something we can 'fight' forever and spread alot of money around. (most of it to ourselves and business partners)

Why do you hate america? Do you wan't the evil cyberterrorist criminals to steal your identity and rape your dog?

Plenty of suckers in the sea (5, Interesting)

Formorian (1111751) | more than 2 years ago | (#39699171)

I work in a place that gets many calls related to phishing scams. You would not believe how many people argue with you on the legitness of the letter, they just don't understand why the money hasn't come to them yet. I don't believe in the past 5 years I've been here, the volume has decreased. Hasn't increased either, it tends to be steady every year.

My own parents were hit with a rental scam (even though I had told them always ask me first about anything fishy). It was hey we'll sign contract, here's money order, oh crap we sent you too much, can you send the difference back. Lost $500, but learned a lesson and changed how they do rental agreements as a result.

So 1 fish is out of the sea, but unfortunately with billions of people on the planet, there are plenty suckers out there. Also, many of these scams appeal to the get rich quick mentality of people. I mean how come other scams can keep working unless people have this need that "maybe this is the time this works and I can stop working or afford ".

To people thinking that every generation will get more computer savvy and this will go away, i tend to disagree. Just because a generation is tech savvy doesn't mean they won't fall for the temptation to make money quick, even if it does sound too good to be true.

Anyway, just my 2 cents.

Re:Plenty of suckers in the sea (4, Funny)

SJHillman (1966756) | more than 2 years ago | (#39699213)

If you think it's bad for the victims, think of the poor princes in Africa who can't find anyone to believe them when they want to traffic large sums of money into an offshore account?

Re:Plenty of suckers in the sea (3, Funny)

ccguy (1116865) | more than 2 years ago | (#39699885)

A classic: http://xkcd.com/570/ [xkcd.com]

Re:Plenty of suckers in the sea (2)

Hatta (162192) | more than 2 years ago | (#39699351)

Individual phishing events are the least of ones worries these days. Even if you're able to completely avoid fraud yourself, you're likely to have your account detailes exposed in a breach of a credit card processor.

Re:Plenty of suckers in the sea (1)

MacGyver2210 (1053110) | more than 2 years ago | (#39699451)

Prepaid credit cards only, mate. $5 at Walgreens/CVS.

You can load enough cash to buy a car, and once it's empty there's no point in worrying - nothing gets charged unless you put the cash into the account first.

Re:Plenty of suckers in the sea (4, Informative)

heypete (60671) | more than 2 years ago | (#39699747)

Or I could just use my regular credit card, which gives me various perks (cash back, airline miles, etc.) with no service fees (unlikely the prepaid ones).

In the unlikely event that my card is misused I simply call the bank, dispute the charges, and get a new card in the mail. This has happened to me once or twice over the years (bad guy acquired card info without my knowledge) and I've spent less than 30 minutes total dealing with the fallout from such events.

Sure, I shouldn't have to deal with it at all in an ideal world, but dealing with the aftermath of credit card fraud is pretty much a non-issue from the side of the customer.

Re:Plenty of suckers in the sea (1)

u38cg (607297) | more than 2 years ago | (#39699933)

Well, until you get a CIFAS listing or equivalent. Then you're innocent but your life becomes very difficult.

Re:Plenty of suckers in the sea (0)

Anonymous Coward | more than 2 years ago | (#39701509)

That's funny. I had a Mastercard from the Bank of Montreal for over 20 years. When I called them to dispute a charge from my phone company, they told me that don't really claw back transactions. When I started to raise a fuss, they said they would mail out a form that I would have to fill in. I found it easier to take the phone company to small claims court to collect my money than to deal with a BMO Mastercard.

Needless to say, I'm not a BMO Mastercard customer anymore. They suck donkey balls.

Re:Plenty of suckers in the sea (1)

Rich0 (548339) | more than 2 years ago | (#39721147)

I assume you're Canadian?

Laws regarding credit cards no doubt vary considerably internationally. In the US they're shockingly consumer-friendly. The burden of proof is basically on the merchant to demonstrate that the charge is legitimate. Until the dispute is resolved the charge has to be removed, you don't have to pay it, and you can't be charged interest on it either.

Re:Plenty of suckers in the sea (1)

brainzach (2032950) | more than 2 years ago | (#39699603)

How often do these data breaches actually result in fraud?

Every few months, there seems to be another story about how a hacker has stolen millions of credit card numbers, but you hear few stories about victims of these attacks. You think there should be a large class action lawsuit or something in the news.

It just seems like most of the time, security consultants are exaggerating these stories to sell their products.

Re:Plenty of suckers in the sea (1)

TheRaven64 (641858) | more than 2 years ago | (#39701335)

There was a slashdot report recently about the average taking from a stolen card number in a recent breach being about $20. This probably makes sense. If you put three $7 transactions on a card over a six month period then most people will probably just ignore them and assume that they were things that they simply forgot about. Some people will complain, and the bank will just reverse the charge and make the merchant (you) eat the loss (not really a loss, because you didn't really provide a product in return). Get half a million people who don't dispute the charge and you've got an income of ten million dollars. Maybe spend one million setting up all of the fake companies to take payments and you walk away with $9m - enough to live quite comfortably for the rest of your life.

A similar approach works with mobile phone malware. Make a call to a premium-rate number for one minute and most people will either not look at their bill or assume that it was a number they dialled accidentally. If the cost is under a dollar, most people who do notice it will figure that it will cost them more to call their mobile phone company and dispute it than they'll get back.

No single customer loses much, but every time it happens the overall cost of using these systems goes up very slightly.

Re:Plenty of suckers in the sea (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#39699853)

legitness

Completely off-topic, but the word you're looking for is "legitimacy". I'm no grammar nazi, and I'm not trying to troll or put you down either; You seem quite literate. I just wouldn't like to think that you'd put such a non-word into a term paper / official document by mistake.

Re:Plenty of suckers in the sea (1)

Formorian (1111751) | more than 2 years ago | (#39699961)

Hadn't had my caffeine yet. Normally I can't stand people misspelling words (even in MMO's), but don't say anything, just a pet peeve. When I noticed it, was already submitted and no edit button.

Re:Plenty of suckers in the sea (2)

RobertLTux (260313) | more than 2 years ago | (#39700397)

for Telephone scams one big trick is to have
http://www.gpo.gov/fdsys/pkg/CFR-2011-title47-vol3/xml/CFR-2011-title47-vol3-sec64-1200.xml [gpo.gov]
printed out and ready to read from during the call
very good odds that if they even think you know the law they will hang up quickly.

and yes in the US 47CFR64.1200 is THE LAW period FULL STOP

Re:Plenty of suckers in the sea (1)

Mitreya (579078) | more than 2 years ago | (#39700643)

It was hey we'll sign contract, here's money order, oh crap we sent you too much, can you send the difference back. Lost $500,

I think banks should be held responsible for that one.
I never got the money order to see, but from what I understand banks deposit the money order and credit it (not like a check that gets verified first) and then, 2 weeks later, the money is yanked from your account, because money order is fake.
If you bring cash, bank will test it. If you deposit a check, it will get confirmed before money is available. Why are money orders different??

Re:Plenty of suckers in the sea (1)

DNS-and-BIND (461968) | more than 2 years ago | (#39703599)

The reason that confidence scams always work: they rely on the mark's willing compliance in a scheme that seems too good to be true. The mark thinks he's putting one over on the scammer.

Fix the Surveys (4, Funny)

residieu (577863) | more than 2 years ago | (#39699287)

So we need to fix the surveys! If you get asked about how much you lost to cybercrime, claim to be a cybercriminal and give negative numbers. "I made $2 million in my Nigerian Prince scam. Would you help me smuggle money out of my country before my usurper cousin recovers it?"

There will always be too much cybercrime (0)

Anonymous Coward | more than 2 years ago | (#39699301)

Just like there will always be too much offline crime. Why?

(1) More crime means bigger budgets for MANY administrative agencies
(2) More crime means more people are scared ....(i) it's easier for certain groups to sell their bullshit antivirus products that do nothing ....(ii) it's easier for certain groups to push through restrictive legislation ostensibly aimed at curbing "cybercrime"
(3) More crime means more "news"

Crime is too profitable to fight too hard!

Still a problem (4, Interesting)

alaffin (585965) | more than 2 years ago | (#39699307)

Over reported? Possibly. Is it still a problem that is a long way from being solved? Yes.

Just last week the university that I work at suffered a significant phishing attack that compromised a large number of email accounts (we don't have a complete count yet - the phisher turned around and used those accounts to send out spam and he didn't use all of them at one time). How did it work? Well, it wasn't very sophisticated - a dupe of our webmail login page (at a different URL) and an email that said "dear {university} account user...blah...account being locked...blah...go to this page {link to copy of page with fugly URL}...blah" from a Yahoo address. And the students (arguably an intelligent bunch, and most young enough to know how computers and phishers work) drank the kool-aid, clicked on the link and, in the end, made quite a mess.

I've actually been in the room when people have said "hey, this Nigerian prince thing looks like a good idea" . I've spoke with people who let a phone caller from "Microsoft" take control of their PC. And it comes from both sides. I've received legitimate emails from my bank that l could've sworn up and down were from a spammer (unsolicited, from someone I've never met, from a branch that I don't go to, poorly formatted and offering me a free credit card) but which were upon further review (checked the email address and the phone number provided in the email with the bank's fraud division) were legit. That irks me the most because it just encourages people to accept stuff that doesn't pass the smell test.

The more press this kind of thing gets the better. I'm not saying it should take headlines and mindspace from other, worthy causes but the fact is that people - including me - are stupid. If you don't hit us over the head every once in awhile to remind us why we ought not to do this than we probably will.

Worse than just being long... (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#39699559)

It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash (no, not Bitcoin, more like Chaum), relying on traditional systems of banking that have been translated into electronic forms (debit cards, credit cards, PayPal, etc.). We are still relying on passwords to protect money, personal information, and so forth. We are still relying on the From: field in an email to determine who the email came from. When things go wrong, we just call up the police and do nothing to fix the inherent security problems that made the attack possible.

Is it any wonder computer crime remains a serious problem? Society has not yet adjusted its thinking to align with the computer age. People have no concept of how easily emails can be forged -- one of my favorite demos to give people is to send them an email that has their own email address in the "From" field. There is also a general lack of technical knowledge that creates problems for people; a friend once told me that by password-protecting her BIOS, she could ensure that a thief would not be able to read her hard drive (she was shocked when I made her aware that a thief could just remove her laptop's hard drive and insert it into a different computer).

Eventually society will catch up. People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms. In a few decades, computer security will improve out of necessity. Unfortunately, the time between now and then will be painful.

Re:Worse than just being long... (0)

Anonymous Coward | more than 2 years ago | (#39699635)

Explain why "digital cash" is so much better than bills? It's more convenient, but I've yet to see anything rigorous that demonstrates that it's better. Counterfitting paper cash is not substantially different than digital cash, and actually leaves a paper trail. Further, the economic damage from counterfitting and petty crime is very small compared to that from the problems we've seen from digital methods, and we're not yet detecting (if we're actually facing) sophisticated criminals.

Re:Worse than just being long... (1)

drinkypoo (153816) | more than 2 years ago | (#39699807)

It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash

That only shifts who can be a criminal from anyone to only the government, which has proven its criminal intent repeatedly. I do not think this is as good an idea as you do.

People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms

And yet we still issue bayonets...

Re:Worse than just being long... (1)

TheLink (130905) | more than 2 years ago | (#39700345)

We are still sluggish on deploying digital cash

How does digital cash solve the Nigerian scam problem?
How does digital cash solve the problem of using a user's credentials to transfer money out?
Which common computer crime problems does digital cash solve?

Re:Worse than just being long... (3, Interesting)

betterunixthanunix (980855) | more than 2 years ago | (#39700717)

Which common computer crime problems does digital cash solve?

https://en.wikipedia.org/wiki/Card_not_present_transaction [wikipedia.org]

You know how you get this funny feeling about giving your credit card details to some unknown website, or over an unsecure connection, or to some stranger at a gas station? The reason you get that funny feeling is that you are worried that the person you just gave that information to might turn around and spend your money, a basic form of online credit card fraud. It happens all the time, and that information is one of the things that is traded on "carder" forums. Now we have an even worse problem: well known businesses might be attacked, and have databases full of payment information copied.

Now, a digital cash smart card is another story. You have a card with enough memory to store some digital cash tokens and some circuitry for carrying out a digital cash protocol. You want to buy something online? Plug your smartcard into your computer (why don't we ship computers with smartcard readers?), make the payment, and the worst that can happen is that the counterparty never delivers what you purchased. No fears about your credentials being used to make fraudulent payments, no worries about a database of payment information, and your money can only be stolen the traditional way: someone taking your smartcard from your wallet.

This was one of the original points of digital cash. Anonymous payments are not good because they let you evade government regulations, they are good because they do not create identity theft problems. Digital cash is good because it is anonymous, and because it is hard (in a cryptographic sense) to make fraudulent payments without at least betraying your identity in the process (and thus opening yourself up to prosecution).

I am not going to claim that all financial crime problems will be solved with digital cash. People will still need to transfer cash to their smartcards somehow, which is something that also needs to be secured. The point here is that we could defend ourselves from a large and important class of computer crimes by deploying relatively inexpensive hardware (a one-time cost) and some well-developed cryptographic protocols.

Re:Worse than just being long... (2)

TheRaven64 (641858) | more than 2 years ago | (#39701417)

I recently got to play with a new prototype credit card. It's pretty neat, there is a small LCD and a button built into the card, as well as a NFC transceiver. You put it near your phone or computer and it displays the transaction amount on the card's screen. You press the button and it authorises it, by sending a single-use token to the computer. If your computer is trojaned then it can only be used to steal amounts equal to those of purchases you make (but altering the payee ID, although the next version will probably also display the merchant name). If the remote end is compromised, the attacker gets nothing of value because the generated tokens are only enough to authorise a single transaction of a specified amount to a single recipient.

I had the idea for such a system a few years ago, and was very disappointed to discover that a lot of other people had the same idea. The cost of building the cards has recently dropped to the level where it's now feasible though, so they should start appearing in most of the world in the next couple of years, and in the USA some time around 2030.

Re:Worse than just being long... (1)

TheLink (130905) | more than 2 years ago | (#39702597)

No, I don't get that funny feeling at all. Because with credit cards it's not my money - it's a CREDIT card after all! If there's card fraud it's usually the merchant's (or more rarely the bank's) money that's gone. And if the merchant doesn't deliver, I complain to my card issuer, and I don't have to pay for that transaction. It may take a while for some cases but meanwhile the scenario is: my money is with me, the bank says I owe them. It's in the interest of the bank to fix the situation. I can complain to the regulator too.

With digital or nondigital cash it's another story - it's MY money that's gone! If the merchant never delivers, I have to go after the merchant to get my money back. That's normally harder for most people especially for international transactions. It's not like the cops will help.

The costs of supporting credit cards are passed to the consumers, but where I live there's usually not a significant price difference when you pay with cash compared to when you pay with credit card. It's 0% to 5% more. Lots of merchants have realized that handling lots of cash does come with costs too. Many probably lose more from employees stealing stuff/money.

So please do a better job of showing how digital cash is better.

Re:Still a problem (0)

Anonymous Coward | more than 2 years ago | (#39699649)

I've received legitimate emails from my bank that l could've sworn up and down were from a spammer (unsolicited, from someone I've never met, from a branch that I don't go to, poorly formatted and offering me a free credit card) but which were upon further review (checked the email address and the phone number provided in the email with the bank's fraud division) were legit. That irks me the most

I've seen that, too. I stop doing business with such places.

Re:Still a problem (1)

mlush (620447) | more than 2 years ago | (#39700091)

I've spoke with people who let a phone caller from "Microsoft" take control of their PC.

Fair do's here... this con has always been quite convincing, you are after all talking to a real person and they know your computer is running slow, so they must be on the level and there getting better and better scripts .

The first ones I got were pretty crude where they make a non-specific allegation that "We are calling on behalf of your ISP and they say..." more recently they have talked me through opening up my Event Viewer so I could see all the scary warnings and errors to be told 'ohhh its worse than we thought your computer has only 3 days to live...'

I've had 2-3 of these a year for the last few years and I try and string them along as long as possible as a service to society... Its great fun, but don't try and buy time by saying you have to switch your computer on, they just ring off :-(

Re:Still a problem (1)

SomePoorSchmuck (183775) | more than 2 years ago | (#39700937)

I've spoke with people who let a phone caller from "Microsoft" take control of their PC.

I've had 2-3 of these a year for the last few years and I try and string them along as long as possible as a service to
society... Its great fun, but don't try and buy time by saying you have to switch your computer on, they just ring off :-(

Well, if you think about it, someone who doesn't leave their computer on all the time is a less desirable target for data harvesters or trojan/botnet admins. The more someone uses their computer to manage more parts of their life (and therefore have more sensitive data stored there) the more likely they are to leave it on all the time, for later rooted perusal, DDOS zombie use, etc.

Re:Still a problem (0)

Anonymous Coward | more than 2 years ago | (#39700465)

Well, at least it's not like at my university where the emails were coming from a university computer, went through the university email system and had the right "from" address.
Most amazingly, nobody from the IT department seemed particularly concerned that
a) a phisher had access to a university computer
b) the email system would allow a From address to be faked to the admin address
Now that I read this I wonder if they actually set this up themselves and were just testing people. but their reaction didn't seem like it...

Re:Still a problem (1)

wvmarle (1070040) | more than 2 years ago | (#39701183)

I've received legitimate emails from my bank that l could've sworn up and down were from a spammer (unsolicited, from someone I've never met, from a branch that I don't go to, poorly formatted and offering me a free credit card) but which were upon further review (checked the email address and the phone number provided in the email with the bank's fraud division) were legit.

I'm surprised you actually went that far, and didn't delete the mail instantly. That's what I do with such mails. From my bank I only expect automatic incoming remittance notifications; anything else that appears to be from my bank or any other bank gets deleted without even reading the body.

Re:Still a problem (1)

alaffin (585965) | more than 2 years ago | (#39701895)

Most of them go to my spam folder or get filtered into another folder that is not spam but might as well be for the number of times I look there. When one gets past that gauntlet I naturally want to find out how it did so and where my rules might need tuning. Because I thought it was fraud I started collecting info from the email to send to my bank's fraud division (as long as I was reading the email anyway) and it rolled from there.

Re:Still a problem (1)

bcrowell (177657) | more than 2 years ago | (#39704031)

Over reported? Possibly. Is it still a problem that is a long way from being solved? Yes.

Your post, and every other slashdot comment I've read so far on this article, misses the two main points of the article and talks about something else instead. The two main points of the article are:

(1) The monetary damage to victims of cybercrime has been wildly overestimated.

(2) The profitability of cybercrime is extremely low.

Your anecdote about the phishing scam hitting your university doesn't contradict either of these points. From your description, it sounds like there were a lot of hassles created for students and IT staff at your school, but you don't describe any monetary damage to the victims. It also doesn't contradict point 2; although the criminals sent spams, the profitability of sending those spams was probably extremely low.

Cybercrime is a lot like selling heroin on the street. Dealing is surprisingly unprofitable for a street dealer, it causes basically no concrete economic damage to anyone, and yet it creates massive hassles for lots of innocent people who just happen to live in the neighborhood.

What boggles my mind is low adoption of DKIM. Google and Yahoo use it, and quite a few banks and other big-money businesses use it. But what's bizarre is that anybody doesn't use it. It's easy to set up, and results in a net economic benefit to the person setting it up on their server. It doesn't make anything harder for the end user. If we could get the adoption rate up to 90% or something, phishing would get really easy to handle. All you'd have to do is train users not to believe the authenticity of mail that isn't properly DKIM-signed. Once it got to 90% of servers, many businesses would stop accepting email that wasn't DKIM-signed, and acceptance would rapidly become 100%.

Re:Still a problem (1)

alaffin (585965) | more than 2 years ago | (#39705487)

On the surface it appears to be nothing more than a hassle for my department. To a point that's fine - that's what our department is paid to do. However there is an opportunity cost there - the time we spend cleaning up the mess is time we could have spent elsewhere. There's also cost to the students, staff and alumni involved in the attack (yes, we provide email to all three groups) - students and staff dislike the policy we have of making them prostrate themselves before our department to ask that they be let back in after falling victim to a phishing scheme while alumni actually have to be shuffled between departments trying to find the right people to talk to to get their account unlocked.

Further down the line we suffer some knock on effects. Government, in particular, has some stringent blacklists that we made following the recent spate of spam originating from our server. That's tough for a lot of our researchers who are working with the government on various and sundry projects. Or for students who are waiting to hear back on research grants. Business uses a lot of these lists too, but calling up a business and asking for them to correct their blacklist is fairly straightforward and is usually done within hours. The government is another matter altogether. It's usually faster to just wait until the ban expires rather than actually push to get removed.

So there are costs to phishing besides the nominal cost of bandwidth. And that's ignoring other phishing attacks I've seen scanning through some of our spam filter's archives. One that comes quickly to mind offers job opportunities to new graduates if they submit various pieces of person info (name, birth date, SIN number). Identity theft *is* common, and phishing is a common vector for identity theft.

As for the profitability I imagine it's a lot like most industries. A few guys with high grade organizations are raking it in, a few middle of the road companies are making enough to get by (usually taking contract work for the big guys) and the rest are lame duck orgs who think "get rich quick" and find out its not so.
   

Re:Still a problem (1)

bcrowell (177657) | more than 2 years ago | (#39707527)

I believe your claim that this particular phishing attack has had negative effects on various people. What I don't believe is that (1) this has anything to do with the article linked to from the slashdot summary, or (2) that these negative effects are in any way quantifiable (which is basically the point of the article). The problems you're citing are like broken windows, graffiti, or finding used condoms in your front yard when you go out to get the morning paper; they're a bummer, but they're not quantifiable economic losses.

Government, in particular, has some stringent blacklists that we made following the recent spate of spam originating from our server. That's tough for a lot of our researchers who are working with the government on various and sundry projects. Or for students who are waiting to hear back on research grants.

This sounds to me like something that is clearly your fault. Why are you allowing these accounts to send large numbers of emails per unit time?

Unreadable Summary (0)

Anonymous Coward | more than 2 years ago | (#39699335)

That is all.

Re:Unreadable Summary (1)

SgtXaos (157101) | more than 2 years ago | (#39699655)

That is all.

Beat me to it.

I miss Taco...

Trolling for profit and job security. (0)

concealment (2447304) | more than 2 years ago | (#39699487)

If you are a member of a non-profit that exists to educate and information about specific harm X, you should make sure to inflate your figures so that it seems there's a Biblical plague of X out there. Job security is guaranteed this way. If you just leave it up to X to manifest itself, you could be out of a job real quick. The biggest user of this theory is government itself, which is going to invent waves of drug dealers, Nazis, terrorists, fundamentalists, pedophiles and corporate men in black in order to justify the 30% of your paycheck that it appropriates.

there is never an under-estimation reported (1)

nitehawk214 (222219) | more than 2 years ago | (#39699519)

...there is never an under-estimation reported.

Say what again?

Re:there is never an under-estimation reported (1)

residieu (577863) | more than 2 years ago | (#39699955)

Seem to assume the only way to cancel out an over-estimation is someone reporting a negative loss. Not sure why, Respondent A reporting $10k when his loss was really $5k could be canceled by Respondent B who lost $5k but was too embarrassed to say so.

Feature, not Bug (3, Interesting)

mbone (558574) | more than 2 years ago | (#39699555)

How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

Having dug into some of the statistics publicized for the drug war, I would say that merely having "absurdly bad statistical methods" could be an improvement. In the drug war, statistics are frequently more or less made up. Remember, the people funding this research have a vested interest and a strong desire to have the numbers come out the way they want them to and, no surprise, they generally do. There are whole institutes, such as the Center on Addiction and Substance Abuse at Columbia University, whose statistics I regard as consistently untrustworthy.

I would not be too surprised to see the same dynamic, and even the same people, involved in the cybercrime statistics game.

Re:Feature, not Bug (0)

Anonymous Coward | more than 2 years ago | (#39699741)

They're just playing catch up to the RI/MPAA

Re:Feature, not Bug (1)

Jay L (74152) | more than 2 years ago | (#39706813)

Remember, the people funding this research have a vested interest and a strong desire to have the numbers come out the way they want them to and, no surprise, they generally do.

Yep. I worked on a cybercrime startup idea for a while, and every single "cost of cybercrime" calculation I found - even from government agencies - was based on the same estimate from MarkMonitor. After a few years, MM was able to cite the more "official" sources with a circular reference.

statistcs on losses (0)

Anonymous Coward | more than 2 years ago | (#39700275)

are going to be high by default. If all the compromised information was to be used to its fullest extent without regard for protecting the identity of the attacker, it would be the equivalent of X dollars lost, so report X to be the loss. If someone gets at your data, odds are good they won't be foolish enough to use it themselves, which means they need to take the time to track down a market for whatever data was stolen, and even then some of what was compromised may not be used for one reason or another. It's very rare for 100% of the projected cost of a cyberattack against you to come to fruition. Even with a DoS type attack, not all of the customers that appear during the time your down will go elsewhere for their goods or services, some will be return customers who will wait and check back later, so your number is still going to be high.

Cyberterrorists! (0)

Anonymous Coward | more than 2 years ago | (#39702723)

I once had a student who constantly made reports to the police (and any other authority figure, regardless of their relevance) about the Cyberterrorists (who have his password) that kept doing things to him, because they were evil Cyberterrorists (who have his password!). Seriously. Every time he used the word Cyberterrorists, it was immediately followed by "(who have my password!)". Apparently it never occurred to him to just change his password. He used them as an excuse for _everything_.

    He filed an appeal on his grade of F- in my course on the grounds that Cyberterrorists (who have his password!) kept stealing and/or vandalizing his car. He also blamed them for his car being smashed into the side of a parked transport truck while he was driving it (the car, not the truck), and was very angry that the police hadn't arrested them yet.

    He also felt that the person next to him during the exam was one of them, and also copied answers from his test, so he wanted their identity information so he could sue them for copyright infringement (yes, on test answers, most of which were multiple choice), so I'm not sure how much credit I can give his claims.

    I'm pretty sure that in my city, he accounts for at least 50% of the "reported" cybercrime, but by now the police probably don't even include his reports in the statistics.

Re:Cyberterrorists! (0)

Anonymous Coward | more than 2 years ago | (#39706393)

I think you should have referred this student to a mental health professional. Some people just need help.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>