Thursday, October 8, 2009

Umm, so where do I report cybercrime? Needed: eCrime reporting API for enforcement

For many online sites: fraudsters are like mosquitos - you can easily handle a few buzzing around but if you don't swat them, they will eat you alive.

We have customers who deal with some pretty sophisticated fraud every day. Their fraud teams use automated tools to winnow the transactions down to a suspicious subset and then use Aikido-like techniques to direct and exhaust the fraudsters energy - exposing the bad guys and minimising the cost of managing it.

It wouldn't be fair to discuss the techniques used, but often a side-effect is that additional proofs of the fraudsters location, their associates, their ability to manufacture or repurpose stolen identities end out being provided to the fraud team. Sometimes, they get hard evidence.

That sounds great for law enforcement right? Not exactly.

Most merchants run lean operations, they don't have time or profitability to spend excessive time reporting incidents and working with law enforcement - after all, the fraud may only be worth $10-200. This is a lot of money in some countries but its just better to swat the mosquito and move on. There is no need to track every mozzy down back to the swamp or puddle, but certainly merchants would appreciate handing-off to enforcement to handle that part.

But....There is no 911, 000, 999, Neighborhood watch, Crimestoppers etc - its still the wild-west. Such things don't commonly and uniformly exist in Cyberspace.

In 2004, we built a system for the government called "SpamMATTERS" - this was a world first*, that allowed consumers to report spam, scam and phishing emails with a simple "click". The system was a great success and was instrumental in various enforcement and disciplinary actions.
Naturally spam hasn't stopped and thats a story/post for another time. The lessons are the love helping swat mosquitos as long as they know their is some material benefit or action from their help. Relating this to fraud......

....is exactly the same. Back in 2005 I did some proofing of a document that was an attempt to extend the IETF IODEF (RFC 5070) for eCrime reporting. You can now get a tool from "the e-Crime Reporting and Incident Sharing Project" http://sourceforge.net/projects/ecrisp-x/ which has emerged from the Antiphishing workgroup.

But the question remains: If I fill out the details and click the information - so what?
  • Its nice that APWG is providing leadership but
  • its largely a US centric project
  • with not a great deal of visibility who is the benefactor and
  • what is the actionable outcomes from any report.
To truly resonate with SME merchants, their must be a tangible "think globally, act locally" initiative and system.

Alastair MacGibbon
's recent article: When it comes to web safety, we’re going nowhere fast
accurately described the landscape and made a passionate appeal for such a reporting system that is simple and actionable - as I mentioned above basically a "hand-off" from fraud teams swatting mosquitos to enforcement who can wade into the swamp. Of course Alastair's appeal is not new, its just that very few are listening.#

This week, one customers asked me if they could report a stolen and Photoshopped identity papers provided by a fraudster. As I mentioned - this customer is running a business, they don't have time to deal with cross-jurisdictional crime but they would be happy to help - IF:
  • they believed that its not just going into a blackhole.
  • it really was being actioned
  • if it will help all/other merchants in the future
  • don't stop me running my business to get involved in the investigation - I'm interested in a good citizen sense - but Maslow's law dictates I focus on my business.
There is another benefit of such a system - METRICS. Currently there is no real metric for the cost of cybercrime to merchants....here's a hint....its much larger than you realize. Think about it...could it be a case of self-interest that the banks refund your account after a phish/keylog event - if they didn't the number of incidents would start to be reported and we would be getting a sense of how large the problem is.

Cybercrime and Cyberfraud are under-reported (or maybe non-reported).**

With fraudsters using anonymity via botnets and proxies - cybercrime is going to continue to grow unless our enforcement teams can scale on cross-jurisdictional levels.

Its a big deal, merchants want to help - but their is no roadmap, no whitepages and no belief there is anyone on the other side of the phone.

* Specifically for enforcement. The FTC fridge predated SpamMATTERS but did not retain forensic information required by evidentiary handling standards. The feedback-loop and AOL reports followed a little later.

# In 2004, speaking at an OECD conference in Busan Korea on spam control, I warned that spam was not the issue but botnets were the main threat. Being the current Gold Medalist for botnets the Koreans understood and built large KR-CERT teams to wrangle the domestic botnet problem. Other countries dismissed this warning, they thought spam was about viagra - not the anonymity that botnets provide. The rest is history: botnets are now the premier platform for many types of cybercrime including keylogging, identity theft and click-fraud.

**Below is an example or global summaries from apwg.org. Currently there is no country specific statistical reporting of events and there is no quantitative financial study for fraud happening to SME eCommerce operators. The Cybersource Annual fraud report is not a bad indicator or credit-card related fraud but new commerce models are appearing in virtual currencies and micropayment ecosystems - I will leave that for another post.

No comments:

Post a Comment