When Joseph Menn said that the Internet – the system that lets computers talk to each other – will not collapse, a collective sigh of relief went through the audience at the National Center for the Preservation of Democracy.
But, Menn said, the Internet, and particularly the sites that handle our sensitive financial information, are by no means safe.
“If we’re talking about the Internet as we’re actually using it today, as a trusted medium for financial transactions and for doing business online,” Menn said, “that could actually end.”
Menn, a technology writer for The Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet, followed the trail of notorious cyber criminals around the world and explained how they can sink banking sites, Internet carriers, and even countries – and what we can do about it.
Text message alerts for hackers
For all the self-updating antivirus software and firewalls, computers and the web are easy prey for savvy hackers. More than half of all credit card numbers are in the hands of criminals, even if they don’t get around to using them all, Menn said. “Things will get much more interesting when they have half of all debit card numbers.” More than half of all PCs have some kind of malware, infected with programs that can record every keystroke and piggyback on legitimate banking transactions to set up money transfers to Russia or Eastern Europe. (For the record, Menn said in Q&A, Macs are safer than PCs, largely because they have a smaller market share, and criminals are less interesting in programming viruses for them.)
Small businesses have begun to go bankrupt because of hackers’ activity, Menn said, and in their legal fight with banks, it’s unclear where responsibility falls and who will win. Most computers have compromised applications, particularly rarely used or updated ones. Antivirus software falls short, viruses are getting stronger – able to morph into thousands of different variants within an hour- and criminals don’t need programming know-how to deploy them. “You can get a free kit on the Internet that will help you deploy a bank Trojan,” Menn said, noting that it’ll pick your preferred bank, your language, and send a text message every time a potential victim signs on to a banking site.
There are a few reasons why the web came to be this way, Menn said. The first is the very open architecture of the Internet – a security framework capable of handling financial transactions simply wasn’t built into it. When people began banking online in large numbers, he said, “we had an administration that was allergic to all forms of regulation. Nothing significant was done in terms of cybersecurity.” Second, few people know the Internet is unsafe – it’s a technologically and legally complicated issue, and also geopolitically confounding. And finally, there’s little incentive for those in-the-know to clue in the public.
“Dell and HP want you to buy computers. Security companies want you to be concerned enough to buy their products, but not so concerned that you realize their product will not protect you,” Menn said. “And it’s the rare law enforcement official who will call a press conference to say they can’t catch anyone.”
How cyber crime began
Problems began arising in 2003, when viruses became a big commercial enterprise. Before that, Menn said, “some disaffected teen may knock over eBay for a day,” but that was it. In 2003, spam filters became widely used, and criminals began to amass many computers to disguise the origins of spam – assembling “herds of robotic computers” to send out more spam, and to crash websites.
Menn began reporting on cyber criminals by following the trail of such “denial of service gangs,” since the impact of their crime was easy to understand. They began in late 2003, targeting websites like offshore gambling companies in Costa Rica and elsewhere, demanding from such companies $40,000 in exchange for making their sites operational again. It worked, Menn said, because the gambling companies have “a lot of cash, they can’t afford to be down on Super Bowl Sunday, and they don’t have great infrastructure.” They were also unlikely to go to law enforcement agencies in the U.S., where they’re illegal.
Menn followed Barrett Lyon, a then-25-year-old flip-flop-wearing computer security whiz who infiltrated the Russian mob via Internet chat, and got real names and IP addresses for the criminals, which led to three arrests. Menn also traced the work of British cyber security enforcement, who were much more responsive than their American counterparts partially because, Menn said, (legal) British gambling companies were a target. One British officer, Andy Crocker, developed friendly ties to Russian law enforcement and got a major criminal arrested, though his law enforcement ties got him released a month later. Lyon, meanwhile, ended up accidentally working for the American mob, and informing on them to the FBI. Despite these successes, Menn said, law enforcement rarely catches cyber criminals.
Mobs and wars
The centers of cyber crime are Russia and China. While the American mob isn’t doing so well – even if the Gambino family, for instance, scored $650 million off one internet scam and has members serving as marketing officials in online gambling companies – the Russian mob excels for a few key reasons. Russia has strong technical education but few legitimate jobs in which to channel skilled workers. The country also has high levels of corruption, even in law enforcement jobs, which are low paid. “The lowest paying job is traffic cop, and that’s the job everyone wants,” Menn said, because the traffic cop can “interface with and shakedown his public.” Major Russian hackers, Menn explained, who sometimes work with American criminals, “won’t be arrested, I don’t think, in my lifetime.” Russia’s government not only protects hackers, but also seems to use their skills. The 2007 attacks that brought down Estonia’s banking system and that are thought to be the “first cyber war,” Menn said, weren’t clearly tied to Russia’s government. But its involvement in Georgia was more clear – hackers brought down media sites in cities about to be invaded, suggesting they had advanced sensitive information about military plans. (The U.S. government, he noted in Q&A, also takes cyber war very seriously, if not defense against it.) The situation in China is something of the reverse, Menn said, beginning with “patriotic hacking” and evolving into for-profit crime. The government seems to let cyber criminals operate in exchange for corporate secrets.
A cyber Katrina?
While the West may face a “cyber Katrina,” Menn said, the greater danger is no crisis at all, which would make us the “proverbial boiling frog.” People could gradually lose their trust of electronic commerce. But, he said, particularly thanks to Google’s “strongly implied” statement that it had been hacked by the Chinese government, we are growing more aware of the problem. Congress has some pending bills that would help, and Barack Obama gave a speech in May on cybersecurity, though he waited till January to appoint his promised czar on the matter. Menn recommended getting a more secure Internet protocol for financial transactions, better privacy laws, and more education and research into making the web secure, though the effort may be costly and take years to develop.
He also suggested that banks be required to report how much they lose to fraud, which could create competition on the basis of financial security. Consumers can also take measures themselves, by choosing computers and browsers that do less – “too much power can do too many things to your computer.” Internet users should be careful with what information they share online, and keep close tabs on their credit reports. The Internet, Menn said, “will be great for watching YouTube videos,” but without better security, it may no longer be good for buying and banking.
Watch the video here.
Watch a highlight clip here.
See more photos here.
Buy the book here.
Read an excerpt here.
Read Joseph Menn’s In The Green Room Q&A here.
*Photos by Aaron Salcido.