Cyber crime is costing U.S. consumers and businesses millions of dollars every year. Cyber criminals have breached payment processing systems at Target, Walmart, Neiman Marcus and many other merchants, showing that no store is immune. Even non-merchants are routinely probed by hackers to find vulnerabilities that might provide access to sensitive employee information, company databases and industry secrets.
Since financial gain is primarily the goal, it is no surprise that payment systems are a prime target. Major retailers and even small businesses create databases of personal information and credit card numbers, and every business day sees these databases grow. With the right combination of personal information and financial data, cyber criminals can gain the use of someone’s credit card or get new credit cards issued in the victim’s name. Techniques used to collect this information are varied and include the following:
Malware
Malware typically installs itself when a user downloads what they believe is a useful piece of software. It can do a number of things, such as display pop-up windows, redirect a browser or install malicious code such as spyware, which can reveal your online viewing history and passwords. Browser redirects and popup ads are often aimed at getting the user to divulge personal information and credit card or financial institution numbers.
Spam
Spam is a huge problem for consumers and businesses. Spam emails usually offer some kind of benefit, such as low-cost prescription drugs, and may be connected to legitimate merchants. Most spam, however, exists only to lure readers to a web page that requests personal information, or includes an automatic download that instantly infects your computer with malware or spyware.
Phishing and Spear Phishing
A form of spam, phishing emails try to get users to enter a relationship of some kind with the sender, usually with the intent to get them to divulge personal information. Phishing emails mask themselves as official company emails, contests, newsletters, links to funny videos or other types of information designed to engage the reader. The latest twist in phishing is called spear phishing. In this case, the address book of a friend or coworker is used, and emails appear to originate from that source, providing a false sense of security. Spear phishing attacks can be very effective.
Unsecured Networks
Public wireless networks are a boon to travelers and remote workers, but public access on a network that fails to address matters of cybersecurity is an invitation for criminal activity. When using an unsecured wireless connection, there is no protection against unlawful viewing of data being sent across the network, including password and credit card information. Any information being sent from computers on an unsecured wireless network can be viewed by unscrupulous third parties.
Unsecured Data
The proliferation of consumer databases that include personal and financial information means a lot more people have access to this information every day. Security breaches are aided by lack of company policy concerning sensitive material, poor employee screening and buildings that lack proper physical security. Printouts containing password and personal information can end up in standard waste receptacles, where they can be located by thieves. An angry or untrustworthy employee can expose security details. Individuals who gain physical access to workstations can install keyloggers or search the network for data.
These threats are being combated in a number of ways by local, state and federal authorities, as well as by businesses and consumers, who are often their own best line of defense. Education is a key component, as is the simple knowledge that even though threats are increasing, we are not powerless in the face of cyber crime.
U.S. consumers are becoming more educated about the threat of links in spam, and the existence of malware and spyware embedded in software downloads. Sales of anti-virus and anti-malware products are high, and the best of these products are designed to be easily updateable so new threats can be thwarted before they become an issue for users. Anti-virus software producers often offer an enterprise version of their software that is more robust than the consumer edition and is intended to protect large computer networks.
Merchants and financial institutions are stepping up to the threat by employing more personnel skilled at cybersecurity. They are implementing policy updates, developing better encryption, adding increased security to offices where workstations are located and finding other ways to limit exposure of customer data to third-parties. They are being aided by government rules and regulations that encourage a higher state of security for consumer databases.
The federal government promotes cybersecurity through a combination of departments and organizations, including the Federal Communications Commission (FCC), Department of Homeland Security (DHS), Immigration and Customs Enforcement (ICE), and the Secret Service.
The FCC provides advice and cybersecurity tips through different outlets, including its Cybersecurity for Small Business website.
The DHS works with public and private groups to raise cybersecurity awareness and to increase digital literacy. The Multi-State Information Sharing and Analysis Center (MS-ISAC) and the National Association of State Chief Information Officers (NASCIO) are among the organizations partnering with DHS to help protect consumers and businesses from cyber crime and related threats.
The Cyber Crimes Center (C3) of ICE works to stem the flow of fake identity and immigration documents. It has special sections devoted to crimes such as child exploitation and human trafficking.
The Electronic Crimes Task Forces (ECTF) of the Secret Service are tasked with pursuing transnational cyber criminals responsible for bank fraud, cybersecurity intrusions, data theft and other offenses. The Secret Service also operates the National Computer Forensics Institute, which provides law enforcement officers and other criminal justice professionals with training in conducting cyber-related investigations.
Because the large number of agencies and organizations involved in the realm of cybersecurity need highly trained individuals who are skilled in many disciplines, including criminal justice, psychology, homeland security law and digital communication, the demand for cybersecurity professionals is expected to be strong for the foreseeable future.