It’s always been fashionable in the cybersecurity industry to throw up our hands and call cyber crime an intractable problem. We don’t have the technical skills to match hackers, attribution is impossible in cyberspace, we don’t have the legal framework for Internet crimes, or international cooperation is insufficient to go after the shadowy, transnational cabal of cyber criminals.
When I hear this cyber defeatism, I wonder which of these computer crime pundits have any experience with the broader field of criminal investigations. Attribution isn’t only a challenge when a criminal breaks into a computer network, it’s difficult in any sort of break in. Up to 50% of residential burglaries go unreported in the United States and those that are have a clearance rate of less than 15%. Sometimes even having a picture of the burglar doesn’t help. And if you think examining malware to find its author is difficult, try getting incriminating information out of a violent gang with no tolerance for snitches.
Yet while many of these issues remain challenges in regular policing, we’ve developed investigative methods that generally keep crime in check and give citizens a reasonable expectation of law and order. There’s no reason we can’t do the same in cyberspace, often with similar methods involving informants, undercover operations, forensics, and detective work. One great example of this was the honeypot that brought two Romanian hackers accused of stealing millions from American credit cards to the U.S. for prosecution.
From 2008 to 2011, four Romanian hackers were accused of making millions of dollars of purchases with the stolen credit card data of 80,000 customers in the United States. As is typical for most organized cyber crime, their operation wasn’t particularly sophisticated. They scanned for vulnerable commercial point-of-sale or “checkout” computer systems which store your credit card information for tips and processing, then either guessed or cracked their passwords to gain access, all of which can be done with tools available on the black market for download.