Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Cybercrime Wave That Wasn't

Posted by samzenpus on from the online-boogeyman dept.

retroworks writes "Dinei Florencio and Cormac Herley write that cybercrime depleted gullible and unprotected users, producing diminishing returns (over-phishing). They argue that the statistics on the extent of losses from cybercrime are flawed because there is never an under-estimation reported. Do they underestimate the number of suckers gaining internet access born every minute? Or has cybercrime become the 'shark attack' that gets reported more often than it occurs?"

20 of 85 comments (clear)

  1. Flavour of the month by AmiMoJo · · Score: 5, Informative

    Ever notice how when there is a notorious crime reported suddenly lots of other similar crimes start happening? Well, they don't suddenly start, they were happening before, just not being reported. It isn't over or under reporting in the sense that our stats are wrong, only in the sense that the mass media does a shit job of conveying factual information to the public.

    Defences are improving, people are getting more savvy. Obviously crime levels will go down. Back in 2002 XP didn't even have its firewall enabled by default. Everyone hated Vista for being locked down and hurling UAC prompts at the screen all the time, but it definitely worked.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Flavour of the month by locofungus · · Score: 2

      Just wait till IPv6 becomes standard and users will have to take an active role in personal firewalls....

      I don't see why you would think this would be the case.

      Pretty much every current IPv4 router[1] comes by default in a NAT configuration. To enable bridging, port forwarding etc generally requires changing settings on the router.

      There's absolutely no reason why IPv6 routers can't have a stateful firewall that blocks incoming connections by default. It's LESS difficult to do than NAT as there doesn't need to be packet inspection etc for things like FTP.

      [1] My cable modem operates in a bridged mode. I'm pretty sure I didn't change that but I could be wrong. It was a while ago now that I set it all up.

      Tim.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  2. Smarter and Smarter by Tempest451 · · Score: 2

    I think every generation will get more computer savvy, making it harder for 2-bit phishers or lazy hackers to cause any real damage.

    1. Re:Smarter and Smarter by Anonymous Coward · · Score: 2, Funny

      payphones

  3. Over-Phishing by SJHillman · · Score: 5, Funny

    Let's continue using the phishing analogy

    Fly-phishing: Phishing involving air travel
    Saltwater Phishing - Phishing from overseas
    Weekend Phishing - A leisure time activity that's used more as an excuse to drink beer than to scam people
    Phishing Boat - A scammer's base of operations located on a vessel in international waters
    Phishing Rod - Viagra scams
    Phishing Line - Like a pick-up line, but for money instead of sex.

    1. Re:Over-Phishing by Anonymous Coward · · Score: 2, Funny

      So then is a phishing scam involving trousers called a Tackle Box?

      no you wont see Tackle Box phishing scams until Viagra for women.

  4. UNPOSSIBLE! by Anonymous Coward · · Score: 2, Insightful

    Cybercrime is the new terrorisim! The new war on drugs!

    Something we can 'fight' forever and spread alot of money around. (most of it to ourselves and business partners)

    Why do you hate america? Do you wan't the evil cyberterrorist criminals to steal your identity and rape your dog?

  5. Plenty of suckers in the sea by Formorian · · Score: 5, Interesting

    I work in a place that gets many calls related to phishing scams. You would not believe how many people argue with you on the legitness of the letter, they just don't understand why the money hasn't come to them yet. I don't believe in the past 5 years I've been here, the volume has decreased. Hasn't increased either, it tends to be steady every year.

    My own parents were hit with a rental scam (even though I had told them always ask me first about anything fishy). It was hey we'll sign contract, here's money order, oh crap we sent you too much, can you send the difference back. Lost $500, but learned a lesson and changed how they do rental agreements as a result.

    So 1 fish is out of the sea, but unfortunately with billions of people on the planet, there are plenty suckers out there. Also, many of these scams appeal to the get rich quick mentality of people. I mean how come other scams can keep working unless people have this need that "maybe this is the time this works and I can stop working or afford ".

    To people thinking that every generation will get more computer savvy and this will go away, i tend to disagree. Just because a generation is tech savvy doesn't mean they won't fall for the temptation to make money quick, even if it does sound too good to be true.

    Anyway, just my 2 cents.

    1. Re:Plenty of suckers in the sea by SJHillman · · Score: 4, Funny

      If you think it's bad for the victims, think of the poor princes in Africa who can't find anyone to believe them when they want to traffic large sums of money into an offshore account?

    2. Re:Plenty of suckers in the sea by Hatta · · Score: 2

      Individual phishing events are the least of ones worries these days. Even if you're able to completely avoid fraud yourself, you're likely to have your account detailes exposed in a breach of a credit card processor.

      --
      Give me Classic Slashdot or give me death!
    3. Re:Plenty of suckers in the sea by heypete · · Score: 4, Informative

      Or I could just use my regular credit card, which gives me various perks (cash back, airline miles, etc.) with no service fees (unlikely the prepaid ones).

      In the unlikely event that my card is misused I simply call the bank, dispute the charges, and get a new card in the mail. This has happened to me once or twice over the years (bad guy acquired card info without my knowledge) and I've spent less than 30 minutes total dealing with the fallout from such events.

      Sure, I shouldn't have to deal with it at all in an ideal world, but dealing with the aftermath of credit card fraud is pretty much a non-issue from the side of the customer.

    4. Re:Plenty of suckers in the sea by ccguy · · Score: 3, Funny

      A classic: http://xkcd.com/570/

    5. Re:Plenty of suckers in the sea by RobertLTux · · Score: 2

      for Telephone scams one big trick is to have
      http://www.gpo.gov/fdsys/pkg/CFR-2011-title47-vol3/xml/CFR-2011-title47-vol3-sec64-1200.xml
      printed out and ready to read from during the call
      very good odds that if they even think you know the law they will hang up quickly.

      and yes in the US 47CFR64.1200 is THE LAW period FULL STOP

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
  6. Fix the Surveys by residieu · · Score: 4, Funny

    So we need to fix the surveys! If you get asked about how much you lost to cybercrime, claim to be a cybercriminal and give negative numbers. "I made $2 million in my Nigerian Prince scam. Would you help me smuggle money out of my country before my usurper cousin recovers it?"

  7. Still a problem by alaffin · · Score: 4, Interesting

    Over reported? Possibly. Is it still a problem that is a long way from being solved? Yes.

    Just last week the university that I work at suffered a significant phishing attack that compromised a large number of email accounts (we don't have a complete count yet - the phisher turned around and used those accounts to send out spam and he didn't use all of them at one time). How did it work? Well, it wasn't very sophisticated - a dupe of our webmail login page (at a different URL) and an email that said "dear {university} account user...blah...account being locked...blah...go to this page {link to copy of page with fugly URL}...blah" from a Yahoo address. And the students (arguably an intelligent bunch, and most young enough to know how computers and phishers work) drank the kool-aid, clicked on the link and, in the end, made quite a mess.

    I've actually been in the room when people have said "hey, this Nigerian prince thing looks like a good idea" . I've spoke with people who let a phone caller from "Microsoft" take control of their PC. And it comes from both sides. I've received legitimate emails from my bank that l could've sworn up and down were from a spammer (unsolicited, from someone I've never met, from a branch that I don't go to, poorly formatted and offering me a free credit card) but which were upon further review (checked the email address and the phone number provided in the email with the bank's fraud division) were legit. That irks me the most because it just encourages people to accept stuff that doesn't pass the smell test.

    The more press this kind of thing gets the better. I'm not saying it should take headlines and mindspace from other, worthy causes but the fact is that people - including me - are stupid. If you don't hit us over the head every once in awhile to remind us why we ought not to do this than we probably will.

  8. Feature, not Bug by mbone · · Score: 3, Interesting

    How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

    Having dug into some of the statistics publicized for the drug war, I would say that merely having "absurdly bad statistical methods" could be an improvement. In the drug war, statistics are frequently more or less made up. Remember, the people funding this research have a vested interest and a strong desire to have the numbers come out the way they want them to and, no surprise, they generally do. There are whole institutes, such as the Center on Addiction and Substance Abuse at Columbia University, whose statistics I regard as consistently untrustworthy.

    I would not be too surprised to see the same dynamic, and even the same people, involved in the cybercrime statistics game.

  9. Worse than just being long... by betterunixthanunix · · Score: 4, Insightful

    It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash (no, not Bitcoin, more like Chaum), relying on traditional systems of banking that have been translated into electronic forms (debit cards, credit cards, PayPal, etc.). We are still relying on passwords to protect money, personal information, and so forth. We are still relying on the From: field in an email to determine who the email came from. When things go wrong, we just call up the police and do nothing to fix the inherent security problems that made the attack possible.

    Is it any wonder computer crime remains a serious problem? Society has not yet adjusted its thinking to align with the computer age. People have no concept of how easily emails can be forged -- one of my favorite demos to give people is to send them an email that has their own email address in the "From" field. There is also a general lack of technical knowledge that creates problems for people; a friend once told me that by password-protecting her BIOS, she could ensure that a thief would not be able to read her hard drive (she was shocked when I made her aware that a thief could just remove her laptop's hard drive and insert it into a different computer).

    Eventually society will catch up. People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms. In a few decades, computer security will improve out of necessity. Unfortunately, the time between now and then will be painful.

    --
    Palm trees and 8
    1. Re:Worse than just being long... by betterunixthanunix · · Score: 3, Interesting

      Which common computer crime problems does digital cash solve?

      https://en.wikipedia.org/wiki/Card_not_present_transaction

      You know how you get this funny feeling about giving your credit card details to some unknown website, or over an unsecure connection, or to some stranger at a gas station? The reason you get that funny feeling is that you are worried that the person you just gave that information to might turn around and spend your money, a basic form of online credit card fraud. It happens all the time, and that information is one of the things that is traded on "carder" forums. Now we have an even worse problem: well known businesses might be attacked, and have databases full of payment information copied.

      Now, a digital cash smart card is another story. You have a card with enough memory to store some digital cash tokens and some circuitry for carrying out a digital cash protocol. You want to buy something online? Plug your smartcard into your computer (why don't we ship computers with smartcard readers?), make the payment, and the worst that can happen is that the counterparty never delivers what you purchased. No fears about your credentials being used to make fraudulent payments, no worries about a database of payment information, and your money can only be stolen the traditional way: someone taking your smartcard from your wallet.

      This was one of the original points of digital cash. Anonymous payments are not good because they let you evade government regulations, they are good because they do not create identity theft problems. Digital cash is good because it is anonymous, and because it is hard (in a cryptographic sense) to make fraudulent payments without at least betraying your identity in the process (and thus opening yourself up to prosecution).

      I am not going to claim that all financial crime problems will be solved with digital cash. People will still need to transfer cash to their smartcards somehow, which is something that also needs to be secured. The point here is that we could defend ourselves from a large and important class of computer crimes by deploying relatively inexpensive hardware (a one-time cost) and some well-developed cryptographic protocols.

      --
      Palm trees and 8
    2. Re:Worse than just being long... by TheRaven64 · · Score: 2

      I recently got to play with a new prototype credit card. It's pretty neat, there is a small LCD and a button built into the card, as well as a NFC transceiver. You put it near your phone or computer and it displays the transaction amount on the card's screen. You press the button and it authorises it, by sending a single-use token to the computer. If your computer is trojaned then it can only be used to steal amounts equal to those of purchases you make (but altering the payee ID, although the next version will probably also display the merchant name). If the remote end is compromised, the attacker gets nothing of value because the generated tokens are only enough to authorise a single transaction of a specified amount to a single recipient.

      I had the idea for such a system a few years ago, and was very disappointed to discover that a lot of other people had the same idea. The cost of building the cards has recently dropped to the level where it's now feasible though, so they should start appearing in most of the world in the next couple of years, and in the USA some time around 2030.

      --
      I am TheRaven on Soylent News
  10. Please mod this informative (seriously) by RulerOf · · Score: 2

    Oh noes, he said something true that I don't like. Quick, mod it down! If you just mod hard enough eventually 2+2 will equal 5.

    You were modded down because you're an asshole, posting off-topic. I humbly request anyone with a spare mod point to make this troll's day:

    2+2 = 5

    --
    Boot Windows, Linux, and ESX over the network for free.