Cyber-crime expert's advice is to trust no one
"That's not the reality today," said Special Agent Timothy Russell, supervisor of the FBI's cyber crime unit in Boston, known officially as the Criminal and National Security Computer Intrusion Squad. "There is a very sophisticated underground economy that traffics in cyber crime."
Russell was a keynote speaker at a seminar on e-commerce hosted by the New Hampshire Small Business Development Center on Friday at Nashua Community College. He warned the group of online entrepreneurs that security needs to be one of their top concerns in a world where cyber crime is now big business.
Gone are the days when someone hoping to access credit card or bank account information had to have some sophisticated coding skills of their own, he said, describing a network of cyber criminals operating through online forums to provide professional services to would-be hackers.
"You don't have to be smart to create this yourself," he said. Hacking software can be purchased online using PayPal or credit cards, with forums and how-to's to simplify an illegal activity. "You buy a product; you try to break into a site; and if it doesn't work exactly as it should, you can submit a help ticket," he said. "It's become very professional and there's lots of money to be made."
The going rate for stolen bank accounts ranges from $10 to $1,000, depending on the bank and its restrictions on withdrawal amounts. Credit card numbers can fetch $25 each. Full identities go for $30. Sometimes much of the data people pay for is useless because it is either out of date or attempts to use it fail due to security. But there is no shortage of people willing to buy 100 accounts in the hope of accessing one or two.
Russell said the FBI estimates that 18 percent of U.S. bank accounts and 16 percent of credit cards (including CVV2 numbers) are now compromised or in the hands of professional cyber criminals, some working for organized crime syndicates.
The online business owners in the group, most of whom have no brick or mortar presence, got a sobering message about the security they need from their Internet service provider. Protocols for secure communication and intrusion protection systems are effective, he said, but need to be acquired and constantly updated.
Failure to do so can have severe consequences, he said, since most cyber crimes are crimes of opportunity, in which criminals or their computers are looking for vulnerabilities or easy targets.
Russell described one investigation in which a Boston area businessman felt he did not need to invest in security measures because his website was not used for e-commerce, but only to promote the brick and mortar store. When he got the bill for bandwidth, it looked like his customer base had quadrupled, with traffic back and forth from an overseas location.
A jihadist group had hijacked his service and was using it behind the scenes to host a site for online terrorist training named Mu'askar al Battar or Camp of the Sword, with a home page that read, "Oh Mujahid brother, in order to join the great training camps, you don't have to travel to other lands. Alone in your home or with a group of your brothers, you too can execute the training program."
Small online businesses are a popular target for hackers, he warned, since their websites often have a trusted connection to a credit card processor and a lot of two-way traffic. Attempts to set up "botnets," networks of compromised computers that respond to the hacker's commands, often start with business websites.
As consumer preference moves away from personal computers to mobile devices, criminals are following them, he said, calling smart phones and tablets "a vector to victimization through data theft and eavesdropping" because of the large number of third-party applications.
He said most of the attacks involving mobile devices come from Google's Android applications, which are more open to users. "Microsoft is still pretty new to the mobile market, and Apple has a closed architecture," he said.
Russell emphasized several times that he wasn't trying to scare online entrepreneurs, but his message was eye-opening. One slide summed it all up: "Trust No One."
"If you are online, you are being probed," he said. "That is just the nature of life on the Internet."