Johannesburg, 07 Apr 2008
During 2008, incidents of cyber-crime can be expected to climb as criminals around the world capitalise on the opportunities the Internet provides for them to reap substantial financial rewards with a relatively low risk of getting caught and punished.
The business of cyber-crime is worth tens of billions of dollars a year and is now, by some estimates, larger than the drug trafficking trade. Criminals have flocked online because the Internet offers them much the same benefits as it does legitimate businesses: a global reach, the ability to automate transactions, and easy access to a market comprising potentially billions of victims.
Criminals also like the fact that the Internet offers them an anonymous platform for their business. They don`t need to be in physical contact with their targets to get hold of their passwords, identities or money. Indeed they can be another country, which means reduces the risk that they`ll be captured and successfully prosecuted.
South Africans, as part of a globalised world, are as vulnerable to cyber-crime as they are to real-world crime. In one incident late last year, a Cape Town-based children`s charity was defrauded of nearly R100 000 by an online fraud syndicate that managed to get the organisation`s online banking details through a phishing scam.
Like many local online banking users, the charity`s CFO probably imagined that the SMS-based one time PIN (OTP) gave her an additional layer of protection against online criminals. The OTP, sent via SMS when the user logs into online banking, is needed to authorise certain transactions like transferring money to an account not already on the beneficiaries list. Yet the fraudsters easily managed to get hold of the OTP by persuading the cellular operator, with the aid of a fake ID book, to cancel the online banking user`s SIM card and issue them with a new one. This particular case demonstrates that cyber-criminals have reached a frightening level of sophistication and are able to combine a range of technical skills with social engineering techniques and faked identity documents to get what they want.
The range of cyber-crimes is as diverse as the list real-world crimes: extortion rackets, phishing, information and identity theft, and money laundering are just a few examples. Internet fraud represents one of the fastest growing categories.
The US Department of Justice defines Internet fraud as any fraud scheme that uses one or more components of the Internet to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to a bank account.
We`re seeing a host of new technologies and standards come to market to help organisations protect their own data and that of their customers. The Payment Card Industry (PCI) Data Security Standard, for example, was created by the major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations expect merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data.
Charl van der Walt, the Service Delivery Director of Sensepost, our sister company and a subsidiary of SecureData Holdings, notes that this standard is particularly interesting as the first set of technical specifications in the Internet security industry to have real teeth. The card associations have laid down severe penalties for companies that cannot demonstrate that they have passed an audit for compliance with the standard.
Sensepost is an officially accredited to perform certain audits for PCI compliance, and can help companies to assess and identify credit card data container vulnerabilities. Van der Walt notes, however, that the big danger with such a standard is that companies may end up doing the bare minimum necessary for compliance.
Given the growing number and severity of the threats they face, companies should take a proactive approach to security and make best practices and policies a standard part of their businesses. No company can afford to be complacent.
With a sound security strategy in place, an organisation will not only be able to demonstrate compliance to standards such as PCI, it will also have the peace of mind of knowing that it has done everything possible to protect its business and customers.
Share