Sunday, October 16, 2005

Better Teamwork is an Opportunity

There is an interesting story from the CanWest News Service by Chad Skelton about finding stolen goods on eBay. In the article, it states: "When someone calls this city's police to report they've had something stolen - either in a home break-in or a vehicle smash-and-grab - Sergeant Doug Fisher gives out the same piece of advice, again and again: "Look for your item on eBay."

The story goes on to describe a former high school principal arrested for selling 9,000 items on eBay and a "sophisticated" ring at Toronto's airport that stole millions of dollars worth of goods and sold them....on eBay.

Fisher said, "eBay co-operates by pulling down suspect listings when notified, and turning over the names of shady sellers without requiring a warrant. But he added it often takes the company 10 to 20 days before they respond to his requests."

In the rapidly changing world of internet fraud, 10-20 days is more than enough time for most criminals to assume another identity and be long gone. Furthermore, fencing stolen goods on eBay is only one part of the problem. Fraudulent financial transactions and the use of fake identities pose major problems, also. Again, not only on eBay, but just about any auction site out there.

There has been an increasing problem of "account hijacking" on e-Bay, as well as, other auction sites. This has been happening both with buyer and seller accounts. Quite simply, the accounts are taken over and fraudulent transactions are "laundered" through the legitimate accounts.

Much of this is accomplished from phishing and pharming the information necessary to takeover accounts. The Anti-Phishing Working Group (APWG) in August reported thousands of sites involved in this activity. This would give the criminals involved in this sort of activity the ability to switch accounts and identities every few days, if not daily. In fact, the APWG's latest report estimated the average life of one of these sites to be 5.5 days. If Sergeant Fisher has to wait 10-20 days for his request, the crooks are likely to be long gone.

One would think that it would take a fair level of technical expertise to accomplish this level of sophistication, but it doesn't. There are reports that information need to perform these crimes is routinely sold in chatrooms and even on websites. Even if the criminal doesn't want to buy the information directly, technology to do this is being sold (often very cheaply) and from there social engineering takes over.

To add to the confusion of it all, victims are often harvested from all over the internet (chatrooms, dating sites, job sites etc.) to receive the stolen goods and ship them elsewhere. They are also being conned into negotiating bogus financial instruments and wiring the money to a distant locale.

Please note, that some of these people might be posing as victims in order to avoid the long arm of the law.

I don't mean to single eBay and the auction sites out in this. The same activity occurs with financial institutions, retailers and even "Google." The specifics might vary, but the activity is basically the same and just as intertwined.

We can't win this battle unless the activity can be detected quickly and then dealt with when it's fresh. The criminals simply change identities and then do the same thing (over and over) again. All too often, there are barriers to rapid communication, jurisdictions that aren't clearly defined and red tape.

Ironically, the fear of protecting information sometimes creates a barrier to the rapid exchange of information between the good guys. Let's face it, the fear of "identity theft" has created heightened awareness and laws that make getting information more difficult. Unfortunately, the bad guys aren't hampered by the same rules.

The laws are necessary to protect the innocent. What is needed is better team work, along with safe ways for information to be shared between the people charged with fighting fraud. In addition to this, as the people charged with fighting fraud are normally understaffed and underfunded, perhaps allocating more resources would help, also.

My personal theory is that law enforcement, IT and corporate security types need to communicate more effectively and develop resources to facilitate the rapid exchange of information. There are many resources out there to gather information and many of them do communicate with each other. Herein lies the answer and the more they consolidate their efforts, the more effective they will become.

There has been evidence that a lot of the organized gangs involved in fraud are consolidating their efforts and are working in collusion with each other. In fact, when you note all the cooperation on their end from technology to socializing to logistics, it becomes very apparent. Perhaps, the answer is for the good guys to develop a similar strategy, or fight fire with fire!

You can read the story from CanWest, by clicking on the title of this post.

No comments: