Criminals have stolen more than $479,000 from a Pennsylvania housing development authority after infecting its computer system with the notorious Clampi Trojan. The crime is the latest in a rash of heists from small business banking users in the US, which has led some industry bodies to suggest radical lock-down procedures for companies banking online.
According to local press reports, the Trojan was installed through a fake Web site purporting to belong to Cumberland County Redevelopment Authority's bank, M&T.
Once installed, Clampi stole passcodes which were used to transfer the money to bank accounts set up by the hackers at 11 different financial institutions. About $109,000 has been recovered since the money was taken on 22 September.
[From Finextra: $479,000 heist from small business bank account lends weight to calls for online banking 'lock-down']
This is clearly recognisable e-crime, but there are many other forms. In the UK, the probably biggest single category of business fraud is VAT carousel fraud. Is this an e-crime or not? Even though the crime is perpetrated using computers, I wouldn't call it an e-crime, since exactly the same crime could be carried out in exactly the same way without computers. What about credit card fraud? That clearly needs computers to execute at scale, but again I wouldn't really call cloning magnetic stripes "e-crime". I'd give card fraud its own category.
Police in 12 countries have arrested 178 people accused of involvement in an international credit card cloning ring that is believed to have netted crooks around EUR20 million. According to the Spanish Interior ministry, the arrests come after a two-year investigation that culminated in 84 raids in Spain, Italy, Romania, France, Germany, Ireland, Sweden, Greece, Finland, Hungary, the US and Australia.
The raids turned up 11 cloning 'laboratories' with around 120,000 card numbers and 5000 fake cards found in Spain alone.
[From Finextra: Card cloning raids net 178 arrests]
What? $20m? That's peanuts. Some guy was just indicted for a fraud fifty times bigger than that.
Former South Florida lawyer Scott Rothstein was sentenced to 50 years in prison for using his law firm to run a $1.2 billion Ponzi scheme that financed a lavish lifestyle, bankrolled his firm and bought political influence.
[From Rothstein Gets 50 Years for $1.2 Billion Fraud (Update3) – BusinessWeek]
Card fraud is so last year. But on to the report.
I didn't realise that the Welsh Assembly has an e-crime minister and that was why they sponsored this report from the accountants Deloitte. The the report basically said that e-crime is
- A big problem.
- Anonymous.
- Organised and international.
- Sophisticated.
Mike Maddison from Deloitte said — as I was noting above — that many of the crimes (eg, extortion) are just the same old crimes but executed using e-mail, or whatever, instead of phone calls. He's right, which makes me wonder if we need a slightly different terminology. From now on, I will refer to computer-mediated crime to mean the same old crimes but carried out using technology invented after I was born and I will use e-crime to mean crimes that could only take place using technology invented after I was born.
So, what to do about e-crime, and particularly payment-related e-crime? Personally, I think the answer should involve, as we often discuss over at Digital Identity, the development of a much better identity and authentication infrastructure. Much of the e-crime discussed in the report is really identity fraud of one form or another, so it might be fruitful to classify many of these frauds much more specifically as identity crimes, because this will push us toward developing a better infrastructure. This needs to be developed into an infrastructure for businesses as well as individuals — I should be able to prove that I am an executive officer of Consult Hyperion as well as prove that I am Dave Birch — because, as Darren Hodder notes in an article on "Emerging online fraud and cybercrime threats" on the current issue of E-Finance & Payments Law & Policy, corporate identity theft is often much easier to commit than personal identity theft. (Interestingly, Darren points to NSTIC as a potential way forward, and one of the projects I am working on at the moment is looking at this.)
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]