The Green Sheet Online Edition
December 24, 2012 • Issue 12:12:02
Experts doubt SAFE WEB Act slows cyber crime
On Dec. 4, 2012, the U.S. Congress reauthorized the U.S. SAFE WEB Act, which confers on the Federal Trade Commission broad cross-border fraud fighting powers. But payment security experts don't expect the reauthorization to have much impact on fraud and theft inflicted on the payments industry by international gangs of cyber thieves.
The act, first passed in 2006 and now renewed to 2020, allows the FTC to share cross-border cyber fraud information with consumer protection agencies in other countries, receive confidential cyber crime information from foreign consumer protection agencies, sue for acts of cyber fraud involving foreign commerce or misconduct in the United States, sue on behalf of foreign victims swindled by U.S.-based cyber criminals, and make criminal referrals for cross-border cyber criminal activity.
Cyber crime still a growing business
Julie Conroy, Research Director at Aite Group LLC, stated, "While the reauthorization of the U.S. SAFE WEB Act certainly isn't a bad thing ... it has only succeeded in addressing the tip of the iceberg in the six years since its inception."
Conroy said the wave of attacks against the payments value chain has only grown worse since the legislation passed. She expects attacks to continue to increase because "there is so little in the way of adverse consequences" for international cyber criminal gangs. "Defensive strategies are currently the predominant approach to combating the crime, and at this point, the forces of good are losing," she added. "The bad guys don't need to make a business case to deploy new and innovative attacks whereas businesses usually do."
Conroy noted that fraudsters keep a step ahead of the law by exploiting the communication challenges between law enforcement bodies in each jurisdiction and spreading their illicit activities across multiple countries.
"[W]hat is needed is an international task force, solely focused on combating cyber crime, that is empowered to cut through the red tape and act quickly to stem the tide," Conroy said. "Until there is a deterrent in the form of a real risk of capture and prosecution, we will continue to see the rising tide of cyber crime attacking the financial services value chain, and the bad guys will continue to have the edge."
Criminal cyber activity abundant in payments
Brian Krebs, a former staff writer for The Washington Post who covers computer security and cyber crime, reported Nov. 29, 2012, on his security blog, KrebsonSecurity.com, that one criminal enterprise is boldly advertising on Russian language cyber crime forums that it will assist in laundering money stolen in U.S. cyber crime schemes.
Krebs said the advertisement tells potential clients the enterprise has a network of agents in six major U.S. cities who will not only help clients steal and launder money but will also pick up high-value merchandise purchased through cyber fraud. In return, the network keeps 40 to 45 percent of the value of the theft. Krebs reported the service regularly launders $30,000 to $100,000 a day.
A white paper released the first week of December 2012 detailed the discovery of powerful malware used to infect bank systems and intercept text messages containing transaction authorization numbers.
In the report, security researchers Eran Kalige, Head of Security Operation Center at versafe Inc., and Darrell Burkey, Director of IPS Products for Check Point Software Technologies, estimated the malware helped thieves steal over $47 million from more than 30,000 bank customers in Italy, Germany, Spain and Holland.
The malware was not only able to get around banks' computer security, it was also able, once it breached banks' computers, to use banks' own systems to authenticate transfers.
More doubts and concerns
Montreal-based payment attorney Adam Atlas said he doesn't expect the act's reauthorization to have a serious impact on legitimate payment providers. "It may create more litigation for high-risk providers that service dubious merchants," he said. "The law raises more privacy issues than it does core-payment issues."
Jason Oxman, Chief Executive Officer at the Electronic Transactions Association, said the payments industry is in "the forefront of instituting self-regulatory measures" in the fight against cyber crime. He noted the payments industry was not included in several cyber security bills in the U.S. Senate this year that addressed the security needs of many other industries.
Those industries "may not have the same level of preparedness as the payments industry," Oxman said, adding that criminal activity "should be addressed by targeting the criminals, not by imposing new regulatory obligations on payments companies that already have systems and procedures in place that protect consumers and insulate them from liability for fraudulent use of their cards."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.