SAN FRANCISCO -- The timing was perfect for one of the nation's biggest information services to warn consumers this week that their digital identities had been stolen. That is, if you were presenting at the RSA Conference.
Numerous speakers at the industry's premiere security conference made an example of ChoicePoint Inc., in which conmen posed as fake companies to convince employees to e-mail the names, Social Security numbers and other sensitive data of thousands of people. Some used it to illustrate the threat posed to companies like Georgia-based ChoicePoint, whose reputation is now in shambles. Others used the case to illustrate how good the bad guys were getting at social engineering. As VeriSign chairman and CEO Stratton Sclavos put it: "This is not your father's hacker."
Also Thursday, a Nigerian nationalist tied to the fraud ring was sentenced to 16 months in a California state prison. Others await trial in Los Angeles, where the scam was based. Whether the sentence fits the crime remains debatable, but the timing of the prosecution again was fortuitous for those cybercrime experts speaking on combating the cyber mafia at RSA's first ever town hall meeting that same day.
The ChoicePoint case mirrors a growing trend in which multinational groups of malware writers are bypassing security tools with a more simplistic approach: just asking someone for access codes, financial information and other sensitive data. Such clever engineering is at the heart of phishing,
At the RSA town meeting Thursday, various cybercrime experts said security is improving and less spam, spyware and even phishing attacks now reach desktops. Cooperation between companies, police and prosecutors also is better, and consumer awareness is up. But a lot more is needed to gain control of the situation.
"Electronic crimes are particularly hard for law enforcement," said Ralph Basham, director of the U.S. Secret Service, which is responsible for helping protect the nation's financial infrastructure. "These crimes are not directed at any one demographic. Instead, they affect all Americans."
Basham cited recent law enforcement advances, including "Operation Firewall" last October, which netted 30 suspects believed behind the theft of 1.7 million credit cards worth $4.3 million in reported losses. He says the arrests likely saved victims another $100 million to $1 billion in "prevented losses."
Basham believes enterprises must change corporate culture to embrace security, including training employees to report suspicious behavior, given the insider threat. He also said private industry must work with law enforcement, and that various levels of government also collaborate on catching criminals. "No single federal entity, however well funded and well organized, can protect the nation's financial and critical infrastructure on its own."
Other panelists agreed companies are getting better at securing their networks, which is why hackers are moving down the "food chain" to attack small businesses and consumers lacking resources to properly protect themselves. Washington Mutual CSO David Cullinane, who also presides over the Information Systems Security Association, believes the growing number of consumer complaints is creating a higher "threshold of pain" required for law enforcement to intervene on a victim's behalf.
Cullinane also singled out phishing as particularly troublesome for companies, given the erosion of consumer confidence and brand protection that's resulted from users being duped into divulging private information to fake sites identical to the real things. "Public relations is designed to keep out us out of the news," he said. "Phishing is pushing us in the opposite direction."
Chris Painter, deputy chief of computer crime and intellectual property for the U.S. Justice Department, said cybercrime is now the FBI's No. 3 priority. And former cybersecurity czar Howard Schmidt said public awareness is reducing the number of phishing victims, currently 3% to 5% of all known attempts. E-mail spam filters are starting to flag phish-related messages as well.