Hackers; e-theft; netspionage; domain scams; telecoms; credit cards. The Fraud Advisory Panel of the Cybercrime Working Group at the ICAEW reports on where companies are finding themselves vulnerable.

Hackers Hackers divide into two main groups. The internal hacker and the external hacker. The hacker may work as an individual or in highly organised gangs, either of whom may attempt to gain access into a computer system in order to carry out a criminal activity. The hacker may intend to steal information or funds, to publicise a cause (more commonly known as ‘hactivism’) or to deface a website. Some hackers claim to hack the sites of software developers and others in order to prove that security can be violated and to highlight security flaws. In January 2002 hackers cut off the website of the World Economic Forum through a ‘denial of service’ attack, disrupting a conference of world political and economic leaders. In the previous year, the hackers broke into the site and stole details of 27,000 delegates attending the conference. The Department of Trade and Industry (DTI) Report1 of April 2002 reveals that key UK government departments face an average of 84 hacking attempts a week.

1.3 1Information Security Breaches Survey 2002, DTI. Original source: ‘Hackers target UK national infrastructure’, Andy McCue, vnu.net.com report, 26 March 2002. Web sabotage is a major cause of concern for the Police. Hackers access genuine websites and alter their appearance, change information or set up a replica website using false information. A recent example of web sabotage involved the Red Cross website. The site was cloned by hackers following the events of September 11th and for 36 hours all donations made to the Red Cross were diverted to a cyber-fraudster. Internal hackers do not have to penetrate the system from the outside. It is therefore far easier for an internal hacker to cause damage. PricewaterhouseCoopers reported in June 2001 that 60 per cent of frauds were committed internally. It has also been reported that up to 75 per cent of thefts and frauds have been committed by an insider.

E-theft It was reported2 in early 2001 that an employee of an oil company managed to steal US$473,541 through e-theft. She transferred funds from the company to her husband’s business in two electronic transactions over an 11-month period. The fraud took so long to uncover because of the procedures adopted by the company. The broker handling accounts never received a list of authorised accounts to which he could transfer funds, and because duties in the company were segregated, the left hand didn’t know what the right hand was doing! In January 2002, it was reported by Evans Data3 that 27 per cent of US and Canadian banks suffered a hack attempt during 2001.

Netspionage Netspionage is where confidential information is stolen from a company by hackers, to sell to a competitor or for the use of individuals in their business exploits. Espionage was originally limited to governments, but in the information age the rise of corporate espionage has been rapid. In March 2001 it was reported4 that an unidentified hacker escaped with the system codes for satellite and missile guidance systems. The theft was not even discovered until three days after it had happened. It was widely suspected that the information was to be used for the purposes of industrial espionage. According to recent surveys, worldwide losses suffered through misappropriation of computerised intellectual property cost copyright owners close to US$20 billion last year. Canal Plus is suing NDS Group plc for US$3 billion for allegedly sabotaging its business. It is alleged that NDS obtained the security code on the Canal Plus smartcard, which gave viewers a choice of different channels. Whilst many companies engage in reverse-engineering to examine their competitors’ products, Canal Plus claims that NDS 2 All Wired Up, ‘Electronic funds transfers are prime targets’, Joseph R Dervaes, Association of Fraud Examiners, 2001. 3 Newsbytes, ‘27% of US Canadian Banking Databases Breached’, Dick Kelsey, Evans Data Corp, 22 January 2002. 4 ‘Hacker nabs top secret US space codes’, ZDNet UK News, 2 March 2001. published the security code on the Internet, where it was picked up by international counterfeiters. In turn, it is alleged that the counterfeiters produced fake smartcards that allowed users to watch subscription channels free. Canal Plus says that this was a deliberate plan to sabotage the business in which it was a market leader. The allegations have been denied. In a report5 by the Confederation of British Industry (CBI) in August 2001, six per cent of UK respondents reported that they had suffered from netspionage, and quantifiable losses were set at £151 million compared to £66 million in the same report in the previous year.

Domain name renewal scams A recent scam to emerge concerns domain name renewal. This has been a concern in both the US and Europe. A victim will commonly receive an email from a sender who is purportedly a domain name registrar. The registrar offers you an opportunity to upgrade your website address with the new suffix ‘.info’. The email will include a hyperlink to allow you to read more information about the upgrade; however when you enter the link the program functions as if you had agreed to transfer your domain name. The domain name is then transferred to their company as registrar, who claim that you requested the transfer.

Telecom fraud Telecom fraud is a less well-known method of committing e-theft. This method is estimated to net organised gangs of fraudsters £40 billion a year. One method used is ‘phreaking’ which is the equivalent of hacking on computer networks. A company’s telephone exchange is penetrated using a computer program which permits the calls to be resold to other users. Usually a cheap telephone company is set up offering international calls at a very low cost. In one case this type of fraud cost a business £750,000 in extra telephone calls. A different type of telecom fraud is known as ‘premium rate’ fraud. Businesses are particularly susceptible to this kind of fraud, which involves an employee dialling a premium rate number at night and leaving the telephone off the hook. The employee’s accomplice will have set up the premium rate number and then charges the company for the cost of the telephone call.

Identity/credit card fraud Online retail has made the life of the credit card fraudster far easier due to the degree of anonymity permitted. There are a number of methods of obtaining credit card details, from the low-tech methods of ‘bin-raiding’ to the high-tech methods of ‘cloning’, ‘skimming’ and obtaining details by hacking into websites. The fraudster then carries out online purchases using the credit card details and requesting that the goods are sent to a different address to that of the genuine card holder. The credit card holder eventually discovers that a number of purchases have been made on their card fraudulently. The credit card company generally reimburses the credit card holder’s account, but the retailer usually foots the bill due to the terms and conditions of the contract they have with credit card companies. This is commonly known as a ‘charge back’. In March 2002, the Association for Payment Clearing Services (APACS) reported that credit card fraud in the UK had cost £400 million. Card-not-present fraud, which is carried out over the telephone or the Internet, rose by 94 per cent in 2000 and is one of the fastest growing types of fraud in the UK. Credit card fraud has been estimated to reach £600 million per year in the UK by 2005. The Institute of Chartered Accountants in England and Wales (ICAEW) is the largest professional accountancy body in Europe, with over 122,000 members. For more information on its Fraud Advisory Panel email info@fraudadvisorypanel.org