Hacking marches in step with ecommerce

John Bond is chairman of high-street bank HSBC. He's not a geek. He's not a nerd. But he is very interested in computer security.

And you should be too. Bond told delegates at the World Economic Forum in Davos, Switzerland, that an unidentified hacker tried to break into his system, trying 50 million passwords over a two-day period last year.

HSBC's internal security resisted the attack, and the intruder failed to break into the company's critical access control system. "We experience unsuccessful attacks on our files on a regular basis," says Bond.

He's not alone. Lloyd's of London was forced to shut down its website after a hacker broke in twice. Thousands of Virgin email users were issued with new passwords after the company discovered an outsider had been attempting to tap into its mailing system. More than 170,000 of Virgin Net's 800,000 UK customers had their service temporarily withdrawn a few weeks ago.

A United Nations agency was forced to close down part of its website after it was hacked by a cyber vandal, who changed a link on the site to display the lyrics of a Bruce Springsteen song, under the caption 'children of the darkstar'. And last month, an anonymous cyber-thief stole the details of hundreds, possibly even thousands, of credit cards from ecommerce websites including cdUniverse.

Cybercrime is on the rise
According to official statistics, so-called cybercrime is among the fastest-growing criminal activities in the UK. Electronic fraud and forgery have risen by 29 per cent (70,000 offences) in the past year, according to government crime figures released last month. Along with the 19 per cent rise in inner city street robbery, it's the increase in volume of credit card fraud on the internet that has pushed UK crime figures up for the first time in six years.

These figures are still low compared with the US, where reported incidents of online crime are rocketing. A 43 per cent increase was reported last year, according to federal law enforcement agencies. Cert, originally the Computer Emergency Response Team and part of a nationally-funded research and development centre tackling internet crime and security, recorded that the number of incidents doubled in the past year, from 3,734 in 1988 to 8,268 in 1999. An FBI survey of Fortune 500 companies found that 62 per cent suffered computer security breaches in 1999.

Such incidents cover a range of online activities, from fraud to terrorism, from being incorrectly charged for goods or services never received to credit card numbers being sold to other fraudsters; from stealing of company secrets to ransom demands.

The situation will get worse, says analyst GartnerGroup. Most Global 2000 organisations will face a "substantial and costly information security breach" within the next 12 months, says Gartner. The researcher also warns that, by 2001, all national governments will very likely face ongoing information security threats on a monthly basis.

Risky business?
Cybercrime isn't new. Letting it in by any open internet doors is. As the number of people online increases, so do the risks, says John Prideau, executive vice president for Visa's new European products.

"Internet crime is the most significant problem Visa is dealing with in Europe," he says. At the moment, internet shopping represents just one per cent of European sales for Visa - but more than 50 per cent of the credit card disputes it deals with are internet-related.

Credit card fraud cost Visa banks in Europe $250 million (£150m) last year, according to Prideau. The idea that internet shopping is "just as safe as shopping over the phone" is a myth, he says. "Credit card purchases over the internet are twice as likely to be disputed as those via the telephone."

Visa is taking steps immediately. These are likely to include the adoption of the secure electronic transaction (SET) standard, and greater use of smartcards.

Although smartcards and standards can help protect businesses and consumers, the only real way to ensure hackers do not get in is to invest in securing your IT systems.

The problem is that the cost of protecting businesses is large. In centralised IT configurations, Gartner suggests that information security spending should account for between two and three per cent of the IT budget. In distributed configurations, spending should rise to between five and eight per cent of the budget. In a traditional mainframe environment, between 15 and 25 per cent may be required.

When this cost is added to the sum required to repair the damage when hackers do get in, you end up with a substantial bill. It is hardly surprising that businesses are keen to pursue perpetrators to recover some of the cost. But although some have tried, the legal infrastructure may not be in place to deal with it. Take the 20-year-old telephone delinquent who used his computer skills to run up an illegal £106,000 phone bill. Despite that six-figure loss to BT - deemed unrecoverable - technical reasons meant he could be charged only with extracting electricity worth just a few pence.

The international problem
The UK government says it is doing everything it can to address the problem. Last month, Home Secretary Jack Straw followed up his promise at last year's G8 summit to set up a cybercrime unit, announcing he was giving the National Criminal Intelligence Service £337,000 to draw up a detailed plan for a high-tech crime squad.

The question is, however, can any such national programme tackle an international problem such as cybercrime? The lack of an international legal body makes tackling cybercrime very difficult, according to Dominic Fox, head of operations at the cybercrime unit of the International Chamber of Commerce, which opened its doors for the first time in January.

"Lots of countries have established laws to protect individuals and businesses from online crime," he says. "But many of them run into problems when they try to cross national boundaries. There is no global law."

Even if international laws were established, the chances are that many businesses would still choose to deal with online attacks quietly, for fear of scaring customers and shareholders by going public. "It is often said that for every incident reported, 40 aren't," says Fox.

Large accounting firms have found that customers would rather speak to them than the authorities about certain online attacks. The demand has become so great that both Deloitte & Touche and PricewaterhouseCoopers (PwC) have established cyber fraud squads last year. These teams investigate crimes and evaluate security systems. Smaller firms are also joining in, as is IBM.

"We have noticed a considerable increase in the number of crimes online," says Richard Stevens, partner in charge of computer forensics with PwC. "As more businesses are online, there are more possible to hit. Also, more intellectual property is held electronically, and with a greater degree of electronic openness it's inevitable that crime will increase."

Stevens worries that cybercrime may have a detrimental effect on businesses. "This is merely another facet of moving from paper-based business to ecommerce," he says. "People must prepare for it and protect against it. The only other option is to avoid the internet altogether - which could prove a far greater risk to business."