Newsletters list:

Throughput accounting
Agile Coaching
Data Models
“Big Data”
Visual facilitation
Agile planning
Churn modeling
Writing Survey Questions
Theory of Constraints
Hands On Data Mining
Data Vault
Time boxing
Surrounding requirements
Cybercrime
Retrospectives
Self Service BI
Internet Surveys
How to build predictive models
New Accounting Standards
Technical Reviews
Text Mining
Meta Data
Open Source BI
Data Warehouse Testing
Customer Value Management
Value From Transaction Data
Data Visualization
Survey Design
Predictive Modelling
Applied Probability Theory
Open Source
Software Testing
Data Warehouse Development
Data Quality Policy
History of Mathematics
Usability Research
Life Time Value
Balanced Scorecards
Survey Sampling
Agile Software Development
ETL
Neural Networks
Corporate Strategy
Missing Data
Segmentation
Decision Trees
XBRL
OLAP
Data Quality Assessment
Dashboards and Scorecards
Data Mining for CRM
Data Mining Algorithms
Data Preparation
Campaign Optimisation
Affinity Analysis
Vendor Selection
System Dynamics
Credit Scoring
Forecasting
Web Usage Analysis
Customer Profitability
Problem Analysis
Customer Satisfaction & Loyalty
IT Governance
Market Research
Search Engines
Marketing Accountability
CRM
Data Mining Models
Privacy
Data Warehousing
Data Quality

PDF icon Print this newsletter

Tom's Ten Data Tips - March 2011

Cybercrime

Cybercrime is a pernicious problem with many faces. It can be relatively innocent “cyber graffiti”, without commercial intent. This is sometimes called “defacement” where hackers replace a homepage with some text, often of a political or religious nature. But it can be vicious like stealing of credit card data, click fraud, identity takeover, etc. Fighting cybercrime requires a hybrid approach involving both sophisticated technology as well as enforcement of safety work procedures.

1. Cybercrime Has Many Faces

The web now offers a global playground for hackers and criminals. Cybercrime can take on many forms. From spam, malware, spyware, click fraud, phishing, worms, Trojan horses, to theft of credit card data, network intrusion, and identity take over, to name just a few. There appears a move from ‘mainly’ direct theft, to intrusion and infringement on intellectual property like trade secrets, or documents with product planning, etc. All this shows how cybercrime is getting more “professional.”

2. Cybercrime Is A “Job”, Too

Cybercrime has been growing steadily in the past decade, and has become more and more professional. We’ve moved from sat-in-the-bedroom amateurs, to hackers with criminal intent (still on their own account), to the current service oriented, professional business. It may not be respectable, and may not be legal, but it’s still a real “job.” These days internet criminals are even selling products and services too (called “crimeware”), to wannabe hackers with questionable intent. In particular phishing is a serious business, no hobby. Unfortunately, the chance of getting caught is (currently) close to zero.

There’s an underground market for spam-able email addresses, toolkits, bank account numbers (with the amount!), etc. A Trojan Horse (malign feature hidden inside a “genuine” program) sells for about $600,=. Zombie masters rent out their networks of hacked computers for criminal purposes.

A significant portion of internet service providers (ISP’s) are considered “rogue providers.” ISP’s are ideally placed to intrude in their customers’ PC’s. Expansion of broadband internet helps gangsters find ever more fertile ground for their activities.

3. Spam Continues To Evolve, But Seems To Be Declining

The first known instance of “spam” (unsolicited commercial email) was as early as May 1978 when an aggressive DEC marketer (Gary Thuerk) sent out a campaign via the ARPA net. Most people consider a “spam” campaign by a pair of Phoenix immigration lawyers (Canter & Siegel) in April 1994 the “real” beginning. Initially, discussions raged whether spam was morally acceptable. The name “Spam” arose from a Monty Python sketch, and has stayed with us ever since. So will spam, unfortunately… Initially, spam was text only. When spam filters started to pick the majority up, they switched to graphics (image spam).

One can draw parallels between the fight against doping in sports and spam filters. Whenever spam filters improve and block certain classes of messages, the bad guys dream up new ways of getting to their “customers.” At the moment, 90-95% of all email messages sent are spam, and that number was rising steadily until last year. Inexpensive providers contribute to this. Elimination of some “botnets” (botnets Waledac and Pushdo sent over 1M spam messages per day last year!) contributed to this decline. But a large proportion of messages are already intercepted at the ISP level, so never reach your computer. Then another big chunk is caught by spam filters at the computer level. Both of these are getting better and better, so the amount coming through is declining, despite the growing volumes of messages sent.

4. Beware Of Your On-Line Ad Metrics

Advertising through website networks or Google Adwords is quite common these days, and constitutes a large share of many companies’ advertising spending. One of the benefits of on-line advertising is higher accountability of marketing budget. “Proper” monitoring of commercial success requires end-to-end measurement. Sales made as a result of the online ad (typically a banner) are your ultimate goal. Unfortunately, this is hard, and takes a bit longer. That’s why proxies like clicks and hits are used to keep a close eye on ad success. And then there are visitors, unique visitors, etc., and accountability starts to get a bit murky.

Cyber criminals have entered this world, too. An estimated overall 10-20% of traffic is phony. By working for websites that receive traffic (and commensurate compensation) from website banners, they found a “niche” to drive up clicks or hits that were never made by legitimate prospects. Sometimes this inflated traffic is driven by fancy technology (computer programs). But after the trade found means of detecting this “artificial” traffic, much of that moved to so-called “sweat shops” in eastern Europe, the far East, and other low- wage countries. These are “genuine” people (humanoids), but needless to say their clicks will not lead to sales…

5. Consistency (In Security) Is Key

Although origins of malware remain unpredictable and criminals appear endlessly creative, solid security can be achieved. That is, in principle... Most companies have the resources on board (human knowledge and technology) to design pretty safe products. But safety needs to be a design consideration from day one. Unfortunately, in the turbulence of day-to-day business, sometimes necessary security policies somehow don’t get implemented. Attackers look for weak spots, just like the Germans circumvented the Maginot line in France and got an easy entrance through Belgium.

This points to a fundamental weakness in IT Governance present in many organizations: although the resources are there, in principle, it turns out to be difficult to leverage them in concert. And fighting cybercrime is all about consistently applying the available security technology.

6. Fighting Cybercrime Is A Balancing Act

The war on cybercrime is a motherhood and apple pie issue. Everybody agrees cybercrime is bad, and everybody agrees something should be done about it. But then the rubber meets the road. How? Unfortunately there is no silver bullet, and the industry shows little signs of standardization. At least so far.

For something as omnipresent as logging on, there’s a myriad of solutions. And even so for something relatively specialized as “strong authentication” (going beyond username + password). You can have (additional) hardware tokens, “bingo forms”, additional SMS passwords, and sometimes biometric techniques, although those are not widely adopted, yet.

What security measures have in common, is a balancing act. There is a desired level of security, maintainability of such a solution, cost (and not just IT), and of course user friendliness. Unfortunately, you can’t optimize them all, at least not at the same time.

7. Authentication Only Watches The Front Door

Every customer, on every PC they ever use, forms a potential threat. Anytime he contacts you, a cyber criminal might have taken on his identity. That’s why you still need fraud monitoring for systems that are considered to be “inside” and are supposed (and expected) to be safe. The nature of this “Tom & Jerry” game, has taught criminals that they sometimes need to exercise some patience before they make their move. Businesses need to stay vigilant, throughout the customer life cycle.

8. Identity Fraud (Takeover) Is Much Bigger In The US Than Europe

Historically, identity fraud (identity takeover) has been much, much more prevalent in the US than it was in Europe. There were two important reasons for this. Firstly, the US has always had a lively “reselling” market for customer data. This even holds for those data that could be accessed by anyone like public federal and state records that are freely available in the web. However, to turn them into useful information was still enough of a challenge that professional parties could make a living out of this. And they still do. The second reason is that in the US, people’s social security number has long been an administrative key, used for identification by many organizations (governmental and private alike). In Europe, data base administrators (DBA’s) were always forbidden to use these numbers as primary keys in their data base systems. This made their work a lot more cumbersome, but did provide some privacy security to citizens.

Now that Europe is beginning to adopt the social security number as a business key, one wonders what effect this will have, long-term.

9. 100% Security Is An Illusion

Cybercrime is here to stay. We have made advances to lower spam (see tip# 3), in the face of ever growing numbers of unsolicited messages sent. We are getting better and better at detecting suspicious transactions. Yet despite advances in many areas it’s an illusion we can ever expect to ban these problems. And even if we would try, the cure would be much worse than the cause because security measures often stand in the way of user-friendliness, customer service, and other benefits we genuinely expect form product and service suppliers. You need to balance the cost of damages with the inconveniences of extreme security measures. Although technology can and should help with that, extinguishing the problem altogether is an illusion.

10. In The End It’s About People

Computers play an ever greater role, in both our private as well as corporate lives. The digital universe was estimated to contain 281 Exabytes in 2007, and continues to grow at a dazzling rate. No matter how much security or detection technology we put into our systems, they are operated by people, and these people need to help ensure security. By staying alert then you get a ‘fishy’ message, and you can’t immediately determine whether the sender is authentic, or not. Or from automated systems, that may “simply” have gine astray, ar have been hijacked.

Fraud, for instance, is more often committed from ‘within’ organization, than from the outside. That’s because we allow for different levels of security for employees than we do for customers. Safe systems rely on an interplay between following (safe) procedures, up-to-date technology (see also tip# 5), and a modicum of common sense to keep your eye out for the casual criminal whose life you don’t want to make too easy.

Contact
XLNT Consulting
Tom Breur, Principal

E-mail
Email Tom Breur

Telephone
+31-6-463 468 75

Address
Langestraat 8-03
5038 SE Tilburg
the Netherlands