Cybersecurity: Are You Safe?

  By Lindsay Edmonds Wickman —

More than 40 million credit and debit card numbers were stolen in 2005 from TJX stores because of insecure wireless networks. A total of 250,000 computers were infected in 2005 and 2006 with information-stealing malware. And the Federal Trade Commission received more than 800,000 consumer fraud and identity theft complaints in 2007.

While modern technologies make shopping, paying bills and managing accounts easier, they — and we — aren’t infallible. We often have a false sense of security, and our electronic transactions can leave us vulnerable to cyberattacks.

“The good guys look at the Internet and say, ‘We can make people’s lives more convenient,’” said Michael Kaiser, executive director of the National Cyber Security Alliance, a nonprofit that provides knowledge and tools to prevent cybercrime. “[But] we’ve got to remember that cybercriminals take all that potential and they use it for bad things.”

Because Internet use spread so quickly, proper security features were not developed. The eBays and Amazons of the world were born overnight, and consumers were driven to spend more time online, opening themselves up to the possibility of cybercrime. Now companies, organizations, government agencies and researchers are playing catch-up, trying to retrofit security features.

“If you think about cars, it was many decades from the introduction of the car [that] we became the car culture. If you think about the Internet, it’s just been like a dozen years,” Kaiser said. “That speed of rollout and that entrepreneurial spirit have brought us unbelievably robust Internet applications, [but] I think [it] has not been done as thoughtfully [around] the kinds of risks that people face. And we haven’t spent much time teaching people about Internet safety and security.”

When cybercrime began, it was relatively innocuous and would more aptly be called cybermischief. The viruses deployed did only superficial things such as change the time on the clock, Kaiser said.

“It was about hackers trying to show they could beat the system,” he explained. “Then cybercriminals realized they could make money doing this, and that’s when we started to see spyware [and] malware. I think as long as there’s the ability to make money through cybercrime, there are going to be cybercriminals.”

Cybercrime includes identity theft, stalking, domestic violence and terrorism and involves botnets, viruses and Trojan horses.

“In the early days of the PC generation, computers could barely talk to one another. People basically worked in closed systems, and what we had was ‘sneakernet,’” said Kaiser, using the tongue-in-cheek term to describe the transfer of electronic information via removable media. “As that changed, [it] opened up opportunities for criminals. As computers talked to each other, as users talked to each other, as the Internet started to roll out and people were sharing all kinds of information, that created a lot of opportunities for crime.”

Like traditional U.S. crime, a fair amount of cybercrime occurs between people who know each other. 

“It’s important that people remember they’re not only defending against the person who’s out there on the other side of the ocean, but it could be the person under the same roof,” Kaiser said. “There are a lot of cases of people who are in domestic violence relationships, where [their partners] have put spyware on their computers to track their online behaviors.”

As for outsider offenses, a frequent method of attack involves tracking keystrokes, said Virgil Gligor, co-director of CyLab and professor of electrical and computer engineering at Carnegie Mellon University. This occurs when a user visits a malicious Web site that secretly downloads keystroke-tracking software onto his or her computer. When that user logs in to his or her bank account, this tool records that information and returns it to the cybercriminal.

“This is a very potent attack that has been launched in the last two or three years,” Gligor said. “The FBI and Secret Service, with the help of banks, have been tracking and investigating such attacks.”

Gligor said he believes the adoption of a new Internet architecture is the long-term solution to the Internet’s security flaws. But it will take time to implement, he said, and in the meantime, security professionals will have to continue to patch whatever holes they find.

“The problem is that the more we look, the more we find,” Gligor said.

There is a camp that argues that the immense popularity of the Internet is due to its insecure nature and that the lack of bureaucratic features is what made it catch on like wildfire.

“To have accountability, you have to have registries of systems and users,” Gligor said. “Clearly, the spread of the Internet if such structures were imposed would have been a lot slower. On the other hand, some people consider this to be a fallacious argument because we as a community could have anticipated that, if we don’t build in security from the start, it would be very difficult to retrofit [it] afterwards.”

Is Your Identity Safe?

Once upon a time, identity thieves would search through garbage looking for discarded mail or other documents containing an individual’s personal information. Some still resort to this tactic, but an Internet connection gives many the ability to steal more information faster.

“People don’t realize when you e-mail someone a credit card number to buy something or instant message a friend [your] Social Security number, that’s essentially the same thing as going into a crowded room and shouting across what your information is,” said Todd Feinman, CEO of security and privacy technologies firm Identity Finder.

Just think about what’s on your blog, your Facebook page or your Flickr site.

“The Internet has become about biography,” Kaiser said. “It’s kind of amazing how much information is out there about people.”

A survey by Javelin Strategy & Research found that 8.4 million Americans were victims of identity theft in 2006. The average fraud amount per victim was $5,869, and the average resolution time for resolving it was 40 hours. Understandably, the impact of identity theft can be devastating.

“I’ve heard of cases where people have taken out mortgages for houses in someone else’s name,” Kaiser said. “More common [is when] people attempt to access existing resources like a bank account.

“[But] the impact of those things is long-lasting. Once your credit’s been breached and your information is out there in these criminal networks, it requires an enormous amount of vigilance to clear it.”

Unfortunately, catching and prosecuting identity thieves and cybercriminals is even more difficult. In the aforementioned TJX case from 2005, which Feinman said highlighted one of the biggest identity theft rings to date, the main perpetrators weren’t caught until mid-2008.

“Most identity thieves will never be caught unless they’re really going on a limb and ordering products online that are delivered to their home,” Feinman said. “The U.S. jurisdiction only goes so far, [and] a lot of times these people will go to countries where there are no extradition laws.