Lecture 05 - Cybercrime PDF

Summary

This lecture from May 13, 2024 at the Technical University of Munich discusses cybercrime, including various types and costs. It explores topics on topics such as the different kinds and varieties of cybercrime, covering phishing, ransomware, and more. The presentation further dives into the financial implications, societal impacts, and issues in law enforcement and defense.

Full Transcript

IT and Society Lecture 5: Security – Cybercrime Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 13, 2024 Recap – Societal Privacy Two lectures ago: GDPR Last lecture:...

IT and Society Lecture 5: Security – Cybercrime Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 13, 2024 Recap – Societal Privacy Two lectures ago: GDPR Last lecture: – Development of law is a messy and haphazard process – Privacy activism plays a critical role in various ways to make data protection a reality Discussed examples of law „development“ and activism 2 Lecture 5 Security – Introduction Focus on Cybercrime 3 An Overview of Cybercrimes Before discussing, which countermeasures are appropriate, need to understand the large diversity of issues – Combining aspects of traditional crimes with newly emerging approaches 4 Large Number of Sources 2012 2019 Focus of today‘s lecture 5 What is a Cybercrime? 3 Facets. Traditional forms of crime such as fraud or forgery, though committed over electronic communication networks and information systems Publication of illegal content over electronic media (e.g., child sexual abuse material or incitement to racial hatred) Crimes unique to electronic networks, e.g., attacks against information systems, denial of service and hacking Definition from “Towards a general policy on the fight against cyber crime” European Commission 6 What a crime! A matter for the police? Should eBay help? 7 Framework to Think about Impact Source: Measuring the e.g., a scam e.g., Botnet cost of cybercrime 8 Criminal Revenue Revenue from crime – Criminal earnings – Minus criminal inputs (investments) Example Phishing: – Earnings: Money received from victim accounts – Criminal input: Amount Phisherman pays to spammers or botnet owners for distributing Phishing mails 9 Direct Losses Value of (monetary) losses, damage, or other suffering felt by the victims as a consequence of a cybercrime Examples: – Money stolen/withdrawn from victim accounts – Time and effort to reset account credentials after compromise (for both banks and consumers) – Lost attention and bandwidth caused by spam messages 10 Indirect Losses Value of the losses and opportunity costs imposed on society by the fact that a certain type of cybercrime is carried out – Cannot easily be attributed to individual perpetrators or victims Examples: – Loss of trust in online banking, leading to reduced revenues – Sales foregone by online retailers – Reduced uptake by citizens of electronic services whether from companies or governments 11 Defense Cost Costs of prevention efforts – Security products – Security services provided to individuals (e.g., awareness training) – Security services provided to industry (e.g., website ‘take-down’ services; fraud detection and recovery efforts) – Law enforcement Like indirect losses, defense costs are largely independent of individual perpetrators and victims, or types of cybercrime 12 Total Cost of Cybercrime Sum of direct losses, indirect losses, and defense costs What is largest of these three parts? 13 Costs >> Cybercriminal Revenue Criminal revenue is typically significantly lower than direct losses and much lower than total losses – Example case: Botnet earned about $3m a year by promoting unlicensed Viagra sales on hijacked websites Cost is about a hundred times that much  responsible for a third of the world’s spam in 2011 (total spam cost to industry about $1bn a year) 14 Sewage works in Etzelmühle Offline Example Metal theft (vandalism for profit) Where is that? Costs: – Replacement of damaged/stolen parts – Shutdown of services, e.g., 155000 minutes train delay in Germany in 2011 – Prevention (video surveillance)  Investment plan of Euro 85M for video surveillance by German train service and federal police https://www.fr.de/wirtschaft/tonnen-schienen-angebot-11719029.html https://www.heise.de/newsticker/meldung/Deutsche-Bahn-Videoueberwachung-zahlt-sich-aus-3186103.html 15 High-profile target? Worth protection? How much? 16 https://www.op-marburg.de/Landkreis/Hinterland/Metalldiebe-schlagen-zweimal-zu Listing of recent cyberincidents in German communities (2023/2024) https://kommunaler- notbetrieb.de/ Data loss External influence Internal cause External attack Disruption (soft-/hardware) 17 Policy Question Who will (or should) pay to stop cybercrime? Companies: Investments in protection to reduce direct costs? Governments: Investments in collective defense? Citizen: Vigilance & avoidance of “unsafe“ activities, and individual protection efforts Opinions? 18 Law Enforcement Challenges Perpetrators and victims are often in different jurisdictions – Reducing the motivation and the opportunity for police action Mutual legal assistance across borders was not intended for routine police and criminal justice cooperation but for rare and serious cross-border crimes (except EU) – Is spamming to sell Viagra a rare and serious cross-border crime? Is selling unlicensed Viagra online such a ‘rare and serious’ crime? 19 Mapping the global geography of cybercrime (2024) Focus: geographical location of cybercrime offenders Based on insights from international experts (survey) https://doi.org/ 20 10.1371/journal.pone.0297312 Law Enforcement Reality (U.S. Perspective) Potentially thousands of hours in research and cyber forensic analysis: – Identifying, preserving, retrieving, analyzing and presenting data as a form of evidence – For evidence to be admissible in court: Police need to obtain a warrant to seize computers etc. – Special technical skills needed when obtaining and analyzing the evidence (e.g., ability to decrypt encrypted files, recover deleted files, crack passwords)  Specialized cybercrime units are assembled (i.e., not possible for regular police departments) If conviction is successful: sentencing and penalties vary – Hacking is considered a federal offense (i.e., form of fraud) Penalty: small fine; or serving up to 20 years in prison – Spam: Minimum punishment of a fine up to $11,000. Additional fines possible; jail if fraud – Identity Theft: jail up to 5 years What crimes/criminals would you pursue, if you work for the FBI? 21 https://us.norton.com/internetsecurity-emerging-threats-how-do-cybercriminals-get-caught.html Details about Cybercrime Categories (see Measuring the Cost of Cybercrime research paper) 22 Online Card Fraud “Bellwether of online property crime overall” Big picture: – Payment fraud has about doubled in total/absolute value since 2012, but it has fallen slightly as a percentage of turnover Electronic payment systems have gotten much bigger, and slightly more efficient – While a large problem, considered to be an “accepted loss” by financial institutions (convenience overcomes security)  Hard to fully secure: https://www.usenix.org/conference/usenixsecurity21/presentation/basin 23 Online Banking Fraud Different mechanisms than online card fraud: – Phished or stolen credentials (e.g., using malware); mobile malware to sidestep 2-Factor Authentication UK figures: Online bank fraud more than doubled, from £51.1M in 2011 to £121.4M in 2017 Authorized push payment (APP) scams: New category with £236M over 43,875 incidents – Bank account holder is tricked into transferring money to the fraudster, who typically poses as a bank employee and uses some combination of social engineering skills and technical mechanisms 24 In-person Payment Card Fraud EMV (originally: “Europay, Mastercard, and Visa”): – Payment method using smart payment cards as technical standard – Costs of EMV-rollout are large (Billions Euro) Success: Almost all counterfeit card fraud against European cards is now at terminals outside the EU – Need to update payment (point-of-sale (POS)) terminals worldwide! What will be the long-term trend, once POS are updated worldwide? 25 Ransomware and Cryptocrime Ransomware exists about 20 years: Niche crime at first – Read research by Young/Yung (1996 & 2007): Cryptovirology and Kleptography Interesting interaction effect: – After ransomware malware authors adapted to cryptocurrencies, their revenues increased substantially Pure cryptocurrency crimes: – Ponzi schemes with new emerging cryptocurrencies – Crypto-mining malware (vs. content payment at websites) – Fraud (insider), e.g., Mt. Gox; hacking incidents 26 Fraudulent Marketing and Distribution Ad Fraud Unlicensed and patent-infringing pharmaceuticals Coupon and loyalty-program fraud Travel fraud Copyright-infringing software Long-standing discussion about economic impact Copyright-infringing music and video 27 Example: Who pays for Ad Fraud? Total sum Over 2 Billion disabled fraudulent accounts in first quarter of 2019 at Facebook – Once these accounts are discovered, are advertisers reimbursed for ads shown to these accounts? – Is “not reimbursing” fraud? 28 Fake Antivirus and Tech Support Scams Fake Antivirus: Being scared into purchasing software that at best does nothing and at worst leaves your computer open to other attacks Complemented by so-called ‘tech support’ scams involve telephone calls (claim: from ISP or Microsoft) – Caller explains that some sort of problem with the victim’s computer has been detection; tries to pressure-sell some (fake) security software 29 Compromised Email Accounts Some large-scale breaches: e.g., Yahoo‘s loss of 3 Billion accounts Exploiting accounts being done as part of diverse set of scams Costs: e.g., business value – $350 Million reduction in sale price when the breaches came to light, while Yahoo was sold to Verizon – Expected court costs and penalties/settlements Has your email been part of a data breach? How would you find out? 30 ‘Fake Escrow’ Scams and Other Fake Company Scams Escrow: Third party holds and regulates payment of funds when two parties or more are involved in a given transaction Large variety of scams, for example: – Majority of the websites offering pedigree puppies for sale are believed to be fake – Victims pay not only for a non-existent puppy but also for its air transportation and then further expenses when the puppy is said to be stranded at an intermediate airport without food or water 31 Advance Fee Fraud Victim must pay out a small amount of money (a tax, a bribe or just a bank account opening fee) in the expectation of a large sum of money being released – Also referred to as ‘419 fraud’ after the relevant article of the Nigerian criminal code – Large number of formats Cormac Herley (Microsoft Research): Why are scam emails so “silly“?  Try to identify most gullible people 32 Business Email Compromise Scam Process: – Fraudulent email message being sent to a company's financial manager, comptroller, or someone else with authority to execute wire transfers – Email falsely claims to be from the CEO or other person of authority within the company and instructs the receiver to initiate a wire transfer to a foreign bank account under control of the criminal Successful because they prey on the victim’s instinct to respond quickly to a request from a person of authority in U.S. Data (FBI IC3) the company For 2020 IC3 data: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf 33 Recent variation: https://www.microsoft.com/security/blog/2021/05/06/business-email-compromise-campaign-targets-wide-range-of-orgs-with-gift-card-scam/ Telecom-related Fraud including PABX Fraud Communications Fraud Control Association (CFCA) publishes data on fraud losses associated with telephony, both fixed and mobile – Costly calls are now mainly to premium rate numbers both domestic and international Good news: Down to $29.2 Billion (2017 report data), with a fall of 23.2% from 2016 PABX = Private Automatic Branch Exchange 34 Industrial Cyber-espionage and Extortion Conjecture: Enormous problem – Criminal cases in court – But impact hard to measure For example: Failure to find any case with quantifiable losses where a drug company could not file a patent because of unauthorized prior disclosure, or any major software copyright infringement cases brought by western tech firms against international competitors (e.g., from China) Extortion: Previously mentioned ransomware cases – Industrial facilities that went offline due to ransomware 35 Fiscal Fraud Tax fraud and welfare fraud – Computer crime under the EU definition, as almost all tax returns and welfare claims are now online in many countries Third-party tax fraud – Criminals impersonating citizens by electronically filing fraudulent tax returns – Billions of U.S. $ in damages just in the U.S. system 36 Other Frauds and Scams Think creatively: – Just about every business-to-business, business-to-consumer, and consumer-to-consumer transaction in any type of economic activity from auctions to travel is subject to fraud Abusive competition: – Submitting negative reviews about competitors Romance scams – Related to Nigerian 419 scams 37 Overview and Estimates What is surprising? 38 Large-scale Victimization Studies 39 U.S. National Crime Victimization Study (NCVS) Supplement survey on U.S. identity theft: Credit card and bank account fraud – About 10% of American residents affected in 2016 (7% in 2014) – About half were contacted by their institution about suspicious activity; other half noticed fraudulent charges or missing money – Only about a quarter knew how the compromise occurred – Most (88.4%) dealt with their bank and some (6.8%) with the police – Only 12% ended up suffering losses: 15% (of these 12%) made substantial losses ($1,000 or more) 40 UK Victimization Study by Office of National Statistics Survey only added cybercrime component in 2015 – Created a substantial discontinuity in the data: Previously, it was believed that overall victimization was sinking; apparently an illusion Inclusion of fraud and computer offenses has increased the total from about 6 million offenses to about 11 million offenses 41 Takeaways – Questions How do we „manage“ this huge diversity of cybercrimes? – How to invest more effectively? Protection Mitigation/Recovery/Self-Insurance Risk-transfer/Cyber-Insurance Do nothing – Similar to privacy: Substantial externalities (e.g., bots) Can we deal with niche crimes; especially if originating in different jurisdictional settings? 42 It‘s time to leave. The End. For Today. See you next week in two weeks. 43

Use Quizgecko on...
Browser
Browser