To catch a cyber thief
Updated: 2012-11-27 05:59
By Simon Parry(HK Edition)
|
|||||||||
Commercial email fraud has risen four-fold in Hong Kong this year as hackers steal millions from company accounts, often by posing as business partners. All photos Provided to China Daily |
Hong Kong police have set up the city's biggest ever taskforce to combat Internet crime as cyber crooks steal tens of millions from businesses in the city. But how effective will the 100-strong team be in tackling the growing online menace? Simon Parry reports.
The email to the Hong Kong trading company seemed innocent enough. It came from the personal email address of a trusted business partner and included mundane instructions about a change of bank account details.
Fortuitously, it appeared, the email landed in the company secretary's inbox shortly before a routine end of month transfer was due to take place. So, with a few straightforward account adjustments online, the money was swiftly redirected to the partner's new account.
That's how simple it was for cyber criminals to steal HK$450,000 from a Hong Kong company. There was no need for a break-in and the thieves weren't just miles away when the crime was discovered the following week: They were continents away when it was committed.
Increasingly well-organised syndicates, many of them based in Africa, have driven a significant surge in cyber crime against Hong Kong companies over the past year with the number of commercial email fraud quadrupling year-on-year in the first nine months of 2012.
Hong Kong's Commercial Crime Bureau received 281 reports of email fraud from January to September, compared to just 67 during the same period in 2011 with emails originating from a variety of destinations including Nigeria, Lebanon and the Indian sub-continent.
Losses to Hong Kong companies in the reported cases totalled HK$113 million - an eight-fold increase over the same period in 2011 - and experts believe that unreported losses may be far higher.
It is an epidemic that is eating into Hong Kong's profitability and officials are preparing to pool their resources in a new effort to tackle it.
Earlier this month, the issue was top of the agenda at a meeting in Berlin between Hong Kong Commissioner of Police Tsang Wai-hung and Klaus-Dieter Fritsche, state secretary of the German Federal Ministry of the Interior.
At that meeting, Tsang and Fritsche agreed on increased cooperation over cyber security - and acknowledgement that in order to succeed, the fight against Internet crooks must be an international one.
In Hong Kong, the China Daily has learnt, a 100-strong police taskforce - the biggest ever brought together to tackle Internet crime - will be on the tail of cyber crooks from December when a new Cyber Security Centre is launched.
The new center will coordinate the efforts of technology crime officers and liaise with overseas forces to exchange the latest information about the Internet fraud cases.
A spokesperson for the Hong Kong Police Force said the center was being set up "to strengthen our capability in protecting critical infrastructures against cyber attacks" and would be based at police headquarters.
"The center will work in collaboration with various stakeholders, including critical infrastructures, with a view to monitoring data flow, but not the data content, in order to better detect and respond to cyber attacks," the spokesperson said.
Twenty-seven extra police officers will be added to the Technology Crime Division, which operates under the Commercial Crime Bureau, by next year to strengthen the force's fight against cyber attacks, bringing total manpower to 99 police officers and three civilian staff.
Chow Kam-pui of the University of Hong Kong's Department of Computer Science welcomed the news that police efforts against cyber criminals were being stepped up. "In my opinion, you need police to patrol cyberspace in the same way that you need police to patrol the streets," he said.
The new center should help consolidate resources and make them more focussed, Chow said. "Last year there were lots of cyber attacks, like the one on the Hong Kong Stock Exchange. All of this requires a lot of coordination not just in Hong Kong but in other parts of the world as well."
A puzzling element of cyber crime is how criminals often from third world countries successfully fleece large sums of money from business professionals in supposedly sophisticated hi-tech cities like Hong Kong.
"One reason is the sheer volume of people using the Internet," said Chow. "Another reason is that a lot of Internet users, in particular SMEs, are not really that security aware.
"Criminals are also getting cleverer. It is a global problem and the criminals can come from Nigeria, or South America or Russia or anywhere else. One of the main issues is that the techniques (they use) are more widely available today."
The cyber criminals were not always hi-tech hackers, Chow said. They often succeeded by using "phising" techniques where a single email is sent to huge numbers of recipients. "Basically, spam emails are reaching a lot more end users and many of those end users are not that security aware," he said.
"Mobile devices and smart phones improve people's access to the Internet and makes them much more accessible to spam emails. In the past, those emails may have only reached 0.001 of the (online) population which wasn't so high but today of course it represents a much greater number of people."
As well as the Cyber Security Centre, a campaign should be waged to raise public awareness, Chow argued. "If you look at the techniques being used (by cyber criminals), they are not really that sophisticated," he said.
"However, they are reaching a much wider section of the population and we need a lot more general public education to make people aware of what is happening. This kind of crime isn't something you see on TV or or read about in stories anymore: It is actually happening.
"People looking at these cases think it is a hi-tech crime and something the intelligence agencies would deal with, but in fact today it is more widespread.
"There should be public awareness campaigns from the police and some kind of promotion by the Hong Kong Computer Emergency Response Team. We need the media to tell people about this, and in our university we have courses for students about cyber crime. We need to have not just a single source but information from different parties."
Businesses and individuals can protect themselves by being alert and taking simple, common sense steps, said Chow. "If an email is coming from someone you think you know and it involves something financial, the simplest solution is to make a call to that person.
"It's a very simple technique. There's nothing hi-tech about it. If it involves finances, make a call."
Jeffrey Herbert, retired police officer specialising in technology crime and now chief executive director of the Hong Kong cyber security company Centinel, said he believed the police figures on cyber crime represented only the tip of the iceberg.
"A lot of computer crime doesn't actually get reported to police," he said. "It's dealt with civilly. A lot of cases are too difficult for the police and they don't want to take them on, and a lot of companies don't want stuff to come out. They want a settlement and they don't want it to become public."
The reason many crimes went unreported was that they were often effectively "inside jobs", involving former staff members or disgruntled employees, said Herbert, whose company has operated for three years and carries out investigative forensic checks on IT systems.
"When people are disenchanted with a company for any reason, normally when a company has been taken over by another company and staff aren't sure what their position is, they jump ship and find another employer and take as much data as they can with them," he said
Systems could be hacked a year or two years after an employee's departure. "Sometimes you have to go back a long way to find out where the conspiracy started," Herbert explained.
"We look into companies where they have had mass staff defections and have lots of data has gone over to competitors. That is very common in Asia.
"We go in and examine a place and see how many faults they have. A lot of companies think they might have a leak, but when we go in, we find they have a sieve with hundreds of holes in it. It is quite a usual occurrence.
"A lot of problems you have with companies are down to the fact that they believe their IT staff, and the IT staff are very scared for anyone to come and look at their systems because if you find a fault, it is their heads on the line.
"No one can run a completely watertight ship but they (IT staff) are very, very wary of the fact that they have problems and when they have problems they try to suggest there is no problem.
"It is a big thing to get them to admit. They say 'We have firewalls in place' but when you look, it's a totally different matter. This is the weakness in the system. A lot of people think they have security when in fact it is far from adequate."
Police were focussing on email crimes involving overseas hackers because those were the cases reported to them, Herbert said. "They are getting a lot of reports about this and when police get a statistic, they have to hit it with a hammer, otherwise their crime rates go up," he said.
The Cyber Security Centre would have little impact on the real crime trends, he predicted. "It isn't going to solve anything," he said. "There is a crime prevention office, but we still have robberies and we still have murders.
"What is going to solve things is when companies say to themselves 'We've got to get an outside audit done on our systems and we've got to make sure we have security in place and we've got to be aware of the fact that the weakest part of any security system is our own individuals."
"That's what it comes down to. It is having a security system in place you can still work with and which protects you and protects your assets."
Chow said he believed one of the biggest challenges would be keeping pace with the constant changes in the methods of the cyber criminals. "The police are focussing on the types of crime already in existence but different crimes will appear in the future," he said.
"In the US there is a lot of identity theft where people steal your identity and use your name to apply for credit cards and other things, but this is not very common in Hong Kong yet.
"There will be all sorts of different crimes, and the email crime is just one specific type. Whether other types of crime come to Hong Kong will depend largely on the trends and whether the criminal thinks it will be effective here."
(HK Edition 11/27/2012 page4)