Computer Crime Research Center

hack/hack35.jpg

Fraud: Online security concerns

Date: November 28, 2005
Source: timesonline.co.uk
By: Sandra O’Connell

FRANZ DESIGN, a Portlaoise company set up 11 years ago, was an early adopter of e-commerce, to the point that online orders came to account for 20% of annual sales. Last year, however, web orders started to fall off worryingly.
“All of a sudden people became increasingly concerned about security and the number of online orders started to drop,” said Franz Caffrey, the company’s founder. “Customers began ringing to say they really didn’t want to leave their credit card details on our secure server.”

The development forced Caffrey to rethink the way the company carried on its online business selling handcrafted wooden pieces. Providing top-notch goods and a first-rate service isn’t enough. To succeed you must also provide top-level security.

Caffrey redesigned the company’s online facility to provide dedicated websites for both his American and European customers.

He also took the opportunity to outsource commercial transactions to PayPal, a secure payments specialist. Owned by eBay, the company is recognised by banks and, crucially, consumers around the world.

The move did the trick. “It has given consumers a lot more confidence in buying online, and at the end of the day the internet business is based on trust,” said Caffrey. “Whatever it takes to build customer confidence, that’s what I have to do.” Consumers are increasingly aware of the risks of cyber-crime “either because they’ve been stung themselves, or because of the massive media coverage about it”.

Central to the rise in cyber-crime has been the spread of spyware, software programs that lodge surreptitiously in a computer and transmit data to a third party.

Some of the spyware programs are highly sophisticated. UK police recently foiled the attempted theft of £220m (€322m) from the London branch of a Japanese bank. Having gained access to its computer network using spyware, the hackers attempted to transfer the money electronically to bank accounts around the world.

Britain’s National High Tech Crime Unit, which cracked the case, now reckons more than 80% of companies in Britain have fallen victim to some form of computer crime.

In Ireland, the IT firm MJ Flood Technology believes small firms are particularly vulnerable, largely because they are ignoring basic security steps and leaving their networks exposed to a range of spyware-enabled activities.

James Finglas, sales director of MJ Flood, said: “Spyware has evolved from an occasional nuisance to something far more sinister. A new generation of more sophisticated spyware is being targeted at organisations with the objective of stealing sensitive corporate data such as banking information or credit card details.”

But while large companies routinely protect their networks from such malicious internet traffic, small companies show a “bewildering reluctance” to improve their computer security, he said.

If a lack of money for in-house IT expertise is the primary cause, it may be a false economy. One company experiencing difficulties with its computer system recently contacted MJ Flood for a network audit. It revealed that the significant computer network downtime it was experiencing was the result of illicit software in its system. The network subsequently crashed and remained down for eight days.

The direct cost of cleaning up the network and installing a secure content management system was €27,000. But that figure doesn’t include loss of productivity, opportunity costs or damage to its goodwill in the marketplace.

Unknown to the user, spyware installs software on your PC or laptop that transmits data to a central service, where such information, ranging from browsing habits to credit card details, has a commercial value.

It often — though not always — emanates from pornographic or illegal music download sites. Finglas believes a “holistic approach”, including education, firewalls and antivirus software, is required to beat it.
Research published as part of the recent government-backed Make IT Secure initiative backs this up. It found that three out of four Irish internet users don’t know what spyware is and 90% don’t know what phishing means. It is sending bogus e-mails that attempt to gather personal or financial information from recipients.



Espion specialises in breaking into the computer networks of large companies and government agencies to identify weak spots in their infrastructure.

“In some cases you can be duped into accepting spyware if you click on pop-ups, some of which actually purport to scan your computer for spyware,” said Colm Murphy, Espion’s technical director.

Not all spyware is malicious. Adware, for example, transmits marketing information.

“The worst kind of spyware are keystroke loggers that can be used to get passwords and user names. This is the kind of software you use to rob a bank,” said Murphy.

Espion research undertaken for the Make IT Secure campaign found that a computer used for internet surfing for three hours every day will attract on average one spyware attack a week. “The majority of it is in the low-risk category,” said Murphy. “But if you access porn sites, that number doubles and the spyware is more likely to be of the more sinister variety.”

Another study indicates that the average computer has 28 items of secret monitoring software on it.

Both Finglas and Murphy point out that the greatest risk from spyware is not so much crime, but the costly degradation of your computer’s performance.

“Spyware clogs up your network and takes up bandwidth that you are paying for. It’s a little like having your electricity stolen,” said Murphy.

In most cases the first sign you have a spyware problem is that your computer becomes sluggish. This is because of logjams caused by the spyware uploading information about you and downloading pop-up ads tailored to match your browsing habits.

Avoiding spyware isn’t necessarily costly. Simply ignoring seemingly innocuous calendars, clocks or toolbars — used as bait for downloading spyware — can help enormously.

“It is also relatively easy to prevent if you set your internet settings in Internet Explorer, which most people use, to high. That will help stop dodgy stuff getting in and won’t cost you a cent,” said Murphy.

“Also, don’t download anything that you are prompted to download unless you have specifically requested it. Always say no. People often say yes without thinking.”

But in some cases you may unwittingly have given permission for security-compromising software to be downloaded. Conall Lavery, managing director of IT security company Entropy, said: “You often find adware mentioned in a website’s terms and conditions — the problem is they are usually so long and complex that nobody reads them.”

Beating spyware requires a combination of firewalls (which prevent unauthorised access to private networks) and up-to-date spam filtering, antivirus, spyware- and URL-blocking software. It also requires the education of employees in relation to computer usage.
“Broadband means the internet is so much faster that staff are more likely to be surfing sites that are not work-related,” said Lavery.

Small firms also need a change of attitude. “When it comes to IT security, small firms tend to want to buy something in a box and have it sorted. This particular problem doesn’t work that way. Just as the lock on your business door is augmented with shutters and alarm, you need to take a multilayered approach to IT security.”

For more information on ,securing your IT systems see www.makeitsecure.ie. Free spyware scanners are available from www.safer-networking.org. Internet useage policy templates are available from the Small Firms Association at www.sfa.ie
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo