In December 2006, Turkish authorities announced the arrest of Ali Y’nin and nine accomplices for bank fraud. They accused Y’nin of leading a gang that sent millions of virus-laden emails. About 11,000 of the recipients opened the email message and unknowingly infected their computers. Then when the victims used online banking services, the gang captured the passwords for those bank accounts and drained them using false identification, fake ATM cards, and Western Union money transfers.

How have we found ourselves in a world in which a small Turkish gang can drain bank accounts on such a massive scale? The police state that Y’nin and his accomplices sent 3.4 million emails and compromised about 11,000 bank accounts. That is a success rate of only 0.3%, but it is hard to imagine that Y’nin was disappointed at being able to access the bank accounts of “only� 11,000 people.

This chapter from the book The New School of Information Security is provided courtesy of Addison-Wesley Professional

Part of the answer is that because the interconnected world of computers and the internet provides many advantages to criminals, they are drawn to electronic crime. Attacks can be automated and carried out in large numbers. Imagine Y’nin attempting to perform the same fraud, but in person at bank branches. If each member of his gang tried to walk into the same bank branch claiming to be a different person each time, even a bored security guard would catch on after a while. If the gang spent all day traveling to different banks and spent one hour per account, they would be doing nothing but going from bank to bank eight hours a day for over six months. The internet makes everyone more efficient, even criminals. Perhaps especially criminals.

Although Y’nin and his gang were eventually caught, it is much harder to catch an electronic thief than a robber in the physical world. Investigating a burglary might take the police an hour or perhaps a day. An electronic break-in executed across international borders might require months or years of investigation. Only a few national police agencies take on cases that require such an investment of time and effort, whereas anyone connected to the internet can now attack computers around the world. In some of these countries, laws about electronic crimes might not be clear, or there may be no effective local law enforcement to make an arrest. Is it illegal to send email spam from China? What happens if an attacker launders his attack through a computer in Nigeria? Some large companies are dedicating resources to helping police forces investigate attacks that matter to them, but it is not clear if this strategy is a good investment. Another challenge for law enforcement is that the skills required to investigate computer crime quickly go out of date because of the rapid advance of technology. If an officer learned

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine