A Thing
The Green SheetGreen Sheet

Friday, December 7, 2012

Experts doubt SAFE WEB Act slows cyber crime

On Dec. 4, 2012, the U.S. Congress reauthorized the U.S. SAFE WEB Act, which confers on the Federal Trade Commission broad cross-border fraud fighting powers. But payment security experts don't expect the reauthorization to have much of an impact on the fraud and theft inflicted on the payments industry by international gangs of cyber thieves.

Their concerns did not blunt Congressional enthusiasm for the reauthorization, however. "Nearly everyone in America has a stake in making certain that the Federal Trade Commission has the powers it needs to fight online fraud," Congresswoman Mary Bono Mack, R-Calif., said after Congress voted to renew the act.

The act, first passed in 2006 and now renewed to 2020, allows the FTC to share cross-border cyber fraud information with consumer protection agencies in other countries; receive confidential cyber crime information from foreign consumer protection agencies; sue for acts of cyber fraud involving foreign commerce or misconduct in the United States; sue on behalf of foreign victims swindled by U.S.-based cyber criminals; and make criminal referrals for cross-border cyber criminal activity.

Cyber crime still a growing business

Julie Conroy, Research Director at Aite Group LLC, commented, "While the reauthorization of the U.S. SAFE WEB Act certainly isn't a bad thing ... it has only succeeded in addressing the tip of the iceberg in the six years since its inception."

Conroy said the wave of attacks against the payment value chain has only grown worse since the legislation passed. She expects attacks to continue to increase because "there is so little in the way of adverse consequences" for international cyber criminal gangs.

"Defensive strategies are currently the predominant approach to combating the crime, and at this point, the forces of good are losing," she said. "The bad guys don't need to make a business case to deploy new and innovative attacks whereas businesses usually do."

While Conroy acknowledges that law enforcement is engaged in fighting the problem, fraudsters keep a step ahead of the law by exploiting the communication challenges between law enforcement bodies in each jurisdiction and spreading their illicit activities across multiple countries.

Conroy believes the solution rests in international cooperation. "[W]hat is needed is an international task force, solely focused on combating cyber crime, that is empowered to cut through the red tape and act quickly to stem the tide," she said. "Until there is a deterrent in the form of a real risk of capture and prosecution, we will continue to see the rising tide of cyber crime attacking the financial services value chain, and the bad guys will continue to have the edge."

Criminal cyber activity abundant in payments

Proof of the extent of criminal activity in payments was evident in December 2012. Brian Krebs, a former staff writer for The Washington Post who covers computer security and cyber crime, reported Nov. 29, 2012, on his security blog, KrebsonSecurity.com, that one criminal enterprise is boldly advertising on Russian language cyber crime forums that it will assist in laundering money stolen in U.S. cyber crime schemes.

Krebs said the advertisement tells potential clients the enterprise has a network of agents in six major U.S. cities who will not only help clients steal and launder money but will also pick up high-value merchandise purchased through cyber fraud. In return for these services, the network keeps 40 to 45 percent of the value of the theft. Krebs reported the service regularly launders $30,000 to $100,000 a day for clients.

A white paper released the first week of December 2012 detailed the discovery of powerful malware used to infect bank systems and intercept text messages containing transaction authorization numbers.

In the report, security researchers Eran Kalige, Head of Security Operation Center at versafe Inc., and Darrell Burkey, Director of IPS Products for Check Point Software Technologies, estimate the malware helped thieves to steal over $47 million from more than 30,000 bank customers in Italy, Germany, Spain and Holland.

But the attacks did not end there. The malware was not only able to get around banks' computer security, it was also able, once it breached banks' computers, to use banks' own systems to authenticate transfers.

More doubts and concerns

Montreal-based payments attorney Adam Atlas said he doesn't expect the act's reauthorization to have a serious impact on legitimate payment providers. "It may create more litigation for high-risk providers that service dubious merchants," he said. "The law raises more privacy issues than it does core-payment issues."

Jason Oxman, Chief Executive Officer at the Electronic Transactions Association, said the payments industry is in "the forefront of instituting self-regulatory measures" in the fight against cyber crime. He noted the payments industry was not included in several cyber security bills in the U.S. Senate this year that addressed the security needs of many other industries. Those industries "may not have the same level of preparedness as the payments industry," he added.

Oxman stressed the importance of focusing on the criminals, not regulating the companies and processes that mitigate attacks. He said, "Criminal activity should be addressed by targeting the criminals, not by imposing new regulatory obligations on payments companies that already have systems and procedures in place that protect consumers and insulate them from liability for fraudulent use of their cards." end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing