Sunday, November 11, 2007

eCrime is not yet Organized

Fact: Criminals have become quite adept at stealing your personal information via the Internet.

Malware designed to secretly steal personal information is currently resident on millions of computers. Millions of bank customer records are available for purchase from corrupt BPO (Business Process Outsourcing) employees in India and elsewhere for a few dollars per record.

Online criminal gangs have proven their ability to regularly break into databases and pull down millions of customer accounts, including credit card details and other personal data. Phishing scams regularly fool thousands of people into revealing their personal information and banking details.

Q. So why aren't these activities bringing down major banks or retailers?

I believe the answer lies in the fact that ecrime is not really organized - yet. While the criminals have become adept at malware manufacture, they are not yet data-parsing geniuses.

Currently, the sheer volume of data being collected, and the current inability of criminal gangs to parse the data they are collecting, means they are unable to target individuals based any useful analysis of that data, such as "net worth", "timing of deposit activity", "statement viewing frequency", or similar paradigms.

However, I think that's about to change. And so do most of the executives I've spoken with at Authentium's customer and partner companies.

In the same way that common criminals currently case a physical bank, or shopping mall, for the right time of day to perform a heist, I believe online criminals may soon start casing online accounts for "spiky activity", such as an executive's payday, or an investment banker's end of year bonus.

Why is such analysis required? Take the typical current account. Many families and small business owners use their current accounts for bill payment.

For much of the month, these accounts sit empty - but at the right time in any given month, these accounts may contain both rent and payroll. At that moment, a stolen "user name and password" combination is more valuable than at other, leaner times - a fact that I'm sure is not going unnoticed by carders and other middlemen.

Right now, there is no compelling evidence that criminals are yet using these sophisticated methods for frauds. However, there is little doubt that, over time, criminals will begin adopting these methods. It's just pure Darwinian logic.

In the future, uninformed criminals lacking information on the right time to "hit" accounts ultimately end up expending a lot of effort for little or no gain. These criminals will eventually go out of business.

The more organized and "informed" criminals (i.e. those capable of processing their data) will grow in sophistication to the point where they will be able to visualize exactly the right time to attack a bank located, say, in a second-tier city, in which a majority of the employees are paid by two large companies on a certain date.

If I'm right, then we could be experiencing a period of calm ahead of what could prove to be quite a storm of activity.

No comments: