Real and present danger for e-commerce
When it comes to cyber crime, the unfortunate truth is that if it's online, it's at risk.
As SA's annual high point in consumer spending draws near, it's worth considering the damage cyber crime is doing to e-commerce. And with the August 2012 cyber theft of cardholder details from local payments processor, PayGate, what is the broader impact of cyber crime on individual consumers?
Internet or cybernet? The unfortunate truth...
In a must-watch February 2012 video interview, Joseph Menn, the computer industry and cyber security correspondent for the Financial Times, warned that cyber crime is "very bad news for the economy overall if people lose faith in electronic commerce".
In Menn's opinion, being commercially-averse to the Internet is exactly what consumers should be: "The unfortunate truth is that they should lose faith in electronic commerce. It's fundamentally not safe. And it's getting much less safe."
As consumers, first-hand experience certainly reinforces that view. If it hasn't yet happened to you, there's probably someone you know whose payment card or online banking has been defrauded. In the past five years, I've had about 20 fraudulent card payments or cash withdrawals made on my accounts.
It's as clear as day these are not isolated incidents. Earlier this year, three illicit payments were made over a few days on one of my cards through PayPal. I've only made one card payment on the net since 2002, so I hardly fall into the category of a regular user with a possibly higher risk of exposure.
I'd say the really unfortunate truth is that if it's online, it's at risk. And being connected has nothing to do with being protected.
In my PayPal cases, I had to visit my branch, complete a fraud report form and pick up a replacement card. I was told these particular frauds were so common at the time, that the bank was fast-tracking the fraud reports and I could expect to be refunded almost immediately. Which I was.
But, when my household fell for a straightforward phishing scam in the guise of a pretty convincing online banking survey, the story didn't have a happy ending. Of the R5 100 stolen in a single transfer, only R1 500 was reimbursed. And I was truly grateful to my bank for that. If online credentials are supplied as a result of phishing-based theft, people are lucky to get anything reimbursed. If you get phished, it's your problem.
Wanna go phishing?
Well, SA is a lekker spot for phishing! Based on information from its customers, Symantec's Intelligence Report for July 2012 says SA ranked second as the world's most phished country, with one in every 171 e-mails identified as phishing attempts.
SA's chart-topping position is nothing new. Symantec also reports that local organisations received the highest proportion of phishing mails in 2011, with an average phishing rate of one in every 96 mails. And in 2010, the highest rate was also for SA, with a ratio of one in 99.
Being connected has nothing to do with being protected.
To state the perhaps-not-so-obvious, cyber villains typically target Internet users with phishing mails to con them into providing online banking or payment card credentials. Then they try to rob the ones they've conned.
And they're pretty good at their robbing. It might be a numbers game for cyber villains, but give them an inch and they'll take a mile. For example, in a May 2011 cyber theft, details of over 360 000 cardholders were stolen from the American bank, Citigroup. The bank said the data was limited in nature and couldn't enable transactions. Customers were not at risk, since Social Security numbers, birth dates, card security codes and expiry dates were not stolen.
But, it seems card numbers, home addresses, holders' names and e-mail details were merely a starting point for the cyber villains. The limited data would certainly have been enough to mount a targeted and well-organised phishing campaign aimed at stealing the transaction-enabling info.
And a few weeks after the initial theft, Citigroup disclosed that over $2.7 million (about R24 million) had already been lost to fraudulent payments on more than 3 400 of the affected cards. For a fast R24 million, why wouldn't the cyber villains get a bit organised?
And that brings me back to the cyber theft at PayGate, a local processor of card payments for each of SA's four big banks as well as retailers like Woolworths. Apparently, details of hundreds of thousands of South Africans were stolen from PayGate.
The company said cardholders were not at risk because it did not keep personal data like addresses and ID numbers. But it did store their e-mail details. In light of the Citigroup incident, it's hardly surprising that PayGate has warned people to be wary of phishing.
Consumers don't have a prayer
Art Coviello, president of the global IT security giant, RSA, has said: "With the end-point security that the average consumer gets, as well as small and medium businesses, they don't have a prayer."
Heavy-duty commentary on the cyber threat to consumers really doesn't get much more damning than that.
Part of this prayer-less situation is due to the fact that consumers create a great deal of their own vulnerability to cyber crime. For example, social media sites are like data hypermarkets for motivated cyber villains trawling for personal info to use for phishing.
Heather Adkins, Google's information security manager, said in February 2011 that Google's exposure to a cyber attack on multiple corporates, which was known as Operation Aurora, started with a phishing campaign targeting a small number of Google employees. Information about them was apparently gathered from social media networks.
Adkins said the phishing mails that were then sent to the 'marks' were designed to motivate visits to a photo-sharing Web site set up by the cyber villains. One of the targets clicked on a link to the Web site, triggering installation on their computer of a 'backdoor', remote-access tool that was then used to enter Google's internal systems.
If it can happen to an Internet colossus like Google, it can certainly happen to Coviello's prayer-less, individual consumers.
According to Internet World Stats, there are 6.8 million South Africans online, and as of the end of June 2012, over 4.9 million local Facebook users.
Given those truly enormous user numbers, it's clear the local dangers from consumer-focused cyber crime are hardly insignificant. As a result of the cyber theft from PayGate and the abundant, long-term phishing targets it has possibly exposed, some of us are probably going to pay, mate.
Alternatively, we could all change our names and e-mail addresses and then PayGate's cyber villains won't know where we are... Happy hols.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.