Over the Christmas holiday, business news and intelligence website Stratfor joined the ranks of a club no company wishes to be a part of – those who have been hacked. In Stratfor’s case, the deed was carried out (reportedly) by hacker group Anonymous, which infiltrated the company’s servers and then publicized sensitive customer information on the internet. I should know. My credit card number was among those stolen, and I have already experienced the fallout. I was contacted last night by a scam artist cleverly disguised as an India-based call center for Amazon.com.
Luckily, my habit is not to answer any phone call from a number I don’t recognize. The call went to voicemail, and I was somewhat skeptical of the ostensible purpose of the call (to query me about “suspicious” card activity). I called Amazon (not the number given to me over the phone) and quickly ascertained that the previous call was a phishing expedition. Needless to say, I canceled the card.
The reason provided by Anonymous for hacking Stratfor had nothing to do with taking credit card information but rather to gain access to Stratfor’s emails. It seems my credit card account and the $200 already charged in illicit purchases were but collateral damage due to Stratfor’s carelessness in placing such information in relatively open areas of their server environment. As Bloomberg’s Michael Riley reported at the end of the year, such thievery is big business. In totaling up the value of the cyberheists, Riley cited a figure from Symantec: $118 billion per year.
The hacker group Anonymous fancies itself as something of a cross between Robin Hood, whistleblower, and anarchist. I’m not sure what Anonymous – or those operating in its name – believes is so cool and secretive that Stratfor might have in its emails. I’ve always imagined Stratfor as something like the Council on Foreign Relations but with a small publishing function for news and views and a security consulting business mixed in. Yes, they probably know a lot about the way the world works, but so do a lot of people.
Besides, who believes that the world is screwed up due to a lack of information? Corporate thieves – the ones Anonymous claims to target – have the audacity to do their work in broad daylight. I fail to see how a few emails squirreled away on Stratfor’s servers will motivate people to seek out political change to end corruption and self-dealing. If the financial crisis and its unsatisfactory wind-down weren’t enough to wake folks up, I doubt Anonymous’s daring heists will do much in that respect. Unless, of course, Anonymous is merely using political rectitude or activism as a cover to grab a slice of that $118 billion pie for itself.
And there are much bigger fish out there than the small fry of stealing credit card numbers from an online vendor. Writing for the Financial Times, Joseph Menn has a big page-long spread in today’s paper detailing the cybersecurity of U.S. banks and, more tellingly, their clients. He tells the story of Experi-Metal, a U.S.-based auto parts maker that lost $560,000 in a matter of hours once a skilled thief had ascertained the vital information needed via a fraudulent “customer service” email form. Experi-Metal was able to pin the losses on its bank, Comerica, whom it felt could have done more to stop the fraudulent transfer out of its accounts. Experi-Metal was lucky. Many companies that suffer fraud and lose a bundle lose, according to FT, lack the protections that individuals enjoy vis-à-vis cybercrime. As Menn writes:
“Individual Americans are protected by Regulation E of the federal banking code and are liable for a maximum $500 if a cyberthief strikes. Companies – even those owned by a single person – have no such guarantees.”
And:
“Most businesses are unaware that they do not have the same protection as consumers. Just 18 per cent of 1,000 small companies knew the truth in one recent survey by Actimize, a banking security company. Analysts say that those unaware of the risks are less likely to insist on precautions, such as mandatory phone calls to confirm every wire.
“Often, companies find out that they are liable only when they have been robbed.”
Being inconvenienced personally is always a consciousness-raising experience, but after doing some cursory reading and seeing the volume of recent news items detailing cybercrime, I think I’m not being a complete narcissist in saying that cybercrime will be a big trend line to watch in 2012. Data published by the Financial Times show that losses to the banking industry due to cybercrime (this includes identity theft, check-related fraud, credit card fraud, computer intrusion, and wire transfers) have fallen by over half since peaking in 2006. That’s the good news. The bad news is that the banks tend to cover a greater percentage of the losses for large corporate clients, leaving small businesses relatively exposed when it happens to them, and these are precisely the folks who feel such losses the most. For some, cybercrime can end up being an enterprise-changing event.
Posts
0 comments:
Post a Comment