Since the 1990s, the internet has become a ubiquitous medium for communication, entertainment and business. The growth of internet retail has exploded. Between 2006 and 2011, US holiday purchases alone grew by over 10 billion dollars. Simultaneously, the internet has heralded the rise of home-trading in the financial markets. People are now able to trade stocks and bonds without having to live in cities like New York or Chicago. In contrast to even 10 years ago, people can stay constantly updated on the status of their bank accounts. Checking, savings, and credit balances can be checked online at any time. A person can even apply for a loan online.
Each year sees greater steps taken in the inexorable march of internet commerce and the interconnectivity of people and money. However, for all the potential good of this omnipresent marketplace, there is an equally foreboding bad. The internet sees billions, possibly even trillions of dollars swimming around it on any given day. In a digital ocean teaming with plump fish, there are bound to be predators. Anyone who has used the internet with any regularity has certainly heard of hackers. Hacking, although an annoyance for most (i.e. hacked Facebook accounts, or the recent hacking of We Out Here’s website) has the potential to be a far more insidious threat.
The term “hacker” can mean many types of people, but is colloquially used to denote a threat to internet security. Hackers, in the most general sense, are people that attempt to find weaknesses in a system and exploit it. John Harrison, group product manager of security technology and response at Symantec, discussed the genesis of hacking and gave a brief timeline. He explained that, “Initial hacking was more about discovery. They were trying to create code on, ‘how to do stuff.” Following that, the 90s were all about damage and destruction. This then evolved into a fame and glory model.
The hacker’s motto became, “let’s see how many computers I can infect.” Then finally, the 2000s saw the rise of organized cybercrime. What were the primary targets? Wherever the money was.
Nathaniel White, the FBI cybercrimes supervisory special agent in Portland, Oregon, described many hacking instances as, “Semi-professional criminal organizations with their own training programs.” They are becoming more structured and taking on an organized crime type of metric. Hacking has experienced a technical and social evolution. Many are highly skilled, highly dedicated people, trying to bilk others out of their money.
Currently, internet transactions are relatively safe. These transactions are encrypted with public key encryption. This encryption masks the details of an order and can only be decrypted by the receiver. While it is possible to decode these encrypted signals, the computing power necessary to do so is vastly more expensive than the potential earnings and the personal effort is too great. So, the weaknesses are found on either the transmission (the buyer) or the receiver’s (the seller) side.
The most common way people get sensitive information is by either phishing or getting people to download malware. Phishing is when a duplicitous site is set up to masquerade as a legitimate retailer or service provider. Under the guise of trustworthiness, they get users to enter sensitive information such as passwords, financial account numbers, and a host of other information a hacker considers important. An attempt at Phishing is probably what happened with We Out Here a few weeks ago. Because We Out Here has steady traffic to their site, a hacker set the site up to redirect visitors, in the hopes of getting personal information.
Malware installation does almost the same thing, but instead of requesting sensitive information it basically steals it. For malware to work, the hacker must find a way to install illicit programs on a user’s computer so they can monitor their activities. Usually this is done with a “Trojan.” A trojan is a program hidden within a file the user wants; these are normally songs, videos, or games that can be downloaded. Once the program is installed onto someone’s computer, the hacker then has access to all their files and a log of their activities online. This includes user names and passwords for bank account, stock trading accounts, and various other important services.
Attacking the receiving end of information transfers is more difficult, but much more lucrative for hackers. In 2008 eleven people were indicted on charges of organized cybercrime for just this type of operation. The group had penetrated the security of many large US retailers and obtained the financial details of their customers. They would drive by shopping centers with computers, searching for weaknesses in retailer’s WiFi networks. (This technique of searching for free WiFi networks is known as wardriving.) In doing so, they obtained millions of credit and debit card numbers from stores like Barnes & Noble, the Sports Authority, OfficeMax, and others. Or, just weeks ago, Zappos.com was compromised in what became the second largest breach of personal security on the internet, with 24 million of its customers’ personal information compromised.
Once the necessary information has been extracted from a target, it is either used personally by the hacker who acquired it, or it is sold to another party. There are illegal online markets for the re-selling of consumer financial information. In 2008, a forum known as the Dark Market was infiltrated by the FBI and shut down. According to the FBI website, Dark Market had 2,500 members who would contact each other to sell and trade, “credit card data, login credentials (user names and passwords), and even electronic equipment for carrying out financial crimes.” The FBI estimates that the elimination of the site prevented nearly $70 million in losses to consumers and businesses.
However, many operations like Dark Market still exist. One of the largest and well-known illegal internet operations is The Russian Business Network. The company operates as its own internet service provider, much like Comcast or Verizon. The Russian Business Network then provides web hosting for other nefarious sites. Many of these sites are dedicated to the storage and sale of people’s personal financial information, but they also host sites for child pornography, and other illicit activities. The Guardian newspaper recently reported on an attempt to crack down on the RBN but states that the criminal organization had, “slipped its internet moorings in the Baltic coastal city of St Petersburg and made for servers in China.”
The general perception is that hacking is a foreign threat, menacing the United States. Perpetrators are touted as Russians, Chinese, and Africans focusing their attacks on the west. This isn’t totally true, because both Symantec and the FBI rank the United States as the number one source of cyber-crime. However, on both lists China ranked 2nd and 4th respectively.
Recently, people have begun using their cellphones as their primary conduit to the internet. Given its convenience, experts believe that cellphones will become a mobile digital wallet. Surprisingly, this is already the case in Kenya. Due to recent modernization, and a previously non-existent economic infrastructure, Kenyans have jumped ahead of industrialized nations and are the leaders in smartphone based payments.
The United States is catching up however. In its Internet Security Threat Report, Symantec points out that there was a 42% increase in mobile device vulnerabilities between 2009 and 2010. These numbers will only go up with increased usage of mobile internet devices. Trojans are of particular concern to mobile users because of their app markets. The provenance of an app is difficult to assess and can lead to a user downloading a malicious program onto their phone or tablet.
As demands for convenience make it easier to purchase things with a cellphone and over the internet, the question of security looms large. Smartphones are just small personal computers with an application for making phone calls. They are more computer than phone. Many people do not consider their phones as computers, and so they don’t worry about information security. Phones are just as vulnerable as anything else. Even back in 2005, Paris Hilton’s T-Mobile Sidekick was famously hacked and the contact list was posted to the internet. This was before the time of phone based commerce and should serve as an example of the need for digital vigilance.
Due to their technological ignorance, the general public tends to assume their information is invulnerable to theft. Also, due to its intangibility, people don’t guard it like they would hard cash. In many ways, humanity has not had the cultural evolution necessary for proper internet safety. A telling historical corollary is with the old itinerant Wild West apothecary. They would travel from town to town selling their wares and elixirs, and their consumers had no information regarding its contents.
After experiencing none of the stated health benefits or, in fact, becoming more sick, buyers began to develop skepticism for these peddlers. The same thing is beginning to happen on the internet, but is not where it needs to be. If someone emptied their bank account and horded the cash in their house, they would sweat bullets every night worrying about robberies. The same situation is possible with digital accounts when someone’s information is easily accessible, but it never seems to elicit the same anxiety as physical currency.
To facilitate the understanding internet safety and the users’ role in it, Agent White compared computers to cars. He said that like driving a car, “there are a lot of pitfalls and dangers but it makes our world convenient so we’re not going to give it up. We just need to learn how to be safe.”
Both the FBI and Symantec stress best practices. To help protect oneself, it is important keep software updated, have a good firewall, and learn a little bit about new software. John Harrison stressed that a major vulnerability is out of date versions of Java, Flash, Abode Reader, QuickTime, and web browsers. As long as people make an effort at their own security, their risk of victimization decreases precipitously. The old adage, “you don’t need to be faster than the bear, just faster than your friends,” seems fitting. If your information and money are hard to steal, people will find others who are easier to steal from.