Because the RFID tagging system is becoming so popular and widely used, concerns and controversy are beginning to rise as to how much privacy the holder has. The major concern so far is that the owner of an item will not necessarily be aware the tag can be read at a distance without the owner’s acknowledgment, making it possible to gather sensitive data about an individual without consent and track the individual at a distance if the perimeter of signal is large enough.
This can also apply to an individual seeking out information about another person. As all that has to be done to gain this knowledge is to enter the perimeter in which the signal can be read and having a receiver on which the information stored on the RFID chip can be received and stored, and Voila! This insecurity of information stored on the RFID chips can lead to:
- Stalking
- Tracking
- Extraction of personal information without consent
- Vehicle Theft
- Theft from Bank Accounts
- Credit Card Forgery
- Identity Theft
- Entrance to Forbidden Areas
- Access to Personal/Confidential information on Computers/Laptops/Networks
- Espionage of Major Companies and Governments
- And more
With new emerging technologies being released, becoming more versatile, and individuals placing more personal information in the hands of them, they must be equipped with better security. If not personal information may as well be handed to those seeking it.
(Wikipedia Contributors3 2010, Anonymous2 Year Unknown)
The Affect of Computer Crime on Society
What many may not be aware of is the fact that computer crime may not only directly affect the victims but also indirectly affect the society. This is because once a claim of theft has been made an investigation is launched to make out if the claim is genuine. Once it has been confirmed that the claim is indeed legitimate the bank reimburses the money lost in order to keep the customer under services. After sorting the customer out the bank launches yet another investigation to discover who the culprit/s behind the theft is. To launch the investigation and reimburse the client’s money the bank ultimately makes a loss in revenue. If the loss is great enough the bank increases fees charged to all customers in order to recover the loss they had made, affecting the whole of society who had nothing to do with the scam in the first place. This shows the affect computer crime has on the society and that it does undeniably have an indirect affect on the society.
On 22nd January 2007 and over a period of 15 months following, Swedish Bank Nordea stated the Nordea customers were targeted by ‘phishing emails’, which contained a ‘tailor-made’ Trojan, tracked by computer experts back to the Russian hacker alias ‘Corpse’ (Andrew E. Kramer 2007). It is believed that 250 customers were affected by this fraud and that approximately seven to eight million Swedish krona (AU$1,500,000 at the time) was embezzled from them altogether, in what McAfee is now describing as the "biggest ever" online bank heist. The increase in bank charges to accompany for this loss can be sighted in Nordea’s 2007 Annual Report when comparing the years of 2006 and 2007.
(Tom Espiner 2007, International Private Banking & Funds 2007)
Another effect of computer crime, and possibly the largest effect, is directly on the modern economy. When companies are attacked by malicious software, not only does it cost the company thousands of dollars to get an expert/s to look at the problem, information fails to circulate and whole sectors of the company fall one by one, like dominoes, leaving the sectors in the economy very much vulnerable. “Finance, wholesale and retail trade, transportation, much of manufacturing, Telecommunications, and many service industries would slow to a crawl without computers.”, bringing those services that are vital and needed by the society- utilities, national defense, vital services, medicine, etc – tumbling down, having a dramatic yet indirect affect on the society (Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel 2004).
“According to the Congressional Research Service, several computer security consulting firms estimate global financial losses from viruses, worm attacks and other hostile computer-based attacks to be between $13 and $226 billion” (Jonathan Lister 2010)
What has been done by companies and governments to control the problem?
OECD report asserts that:
A strategy for a global partnership against malware is needed to avoid it becoming a serious threat to the Internet economy and to national security in the coming years...Today, communities involved in fighting malware offer essentially a fragmented local response to a global threat. [...] Over the last 20 years, malware has evolved from occasional “exploits” to a global multi-million dollar criminal industry.
Ever since the release of OECD report by the House of Representatives’ Standing Committee on Communications in 2009, at a ‘National’ level no recommendations put forward by the report have been implemented to date. One action that has been completed is the Department of Defence’s opening of a new cyber security operations centre in Canberra that will only monitor for threats of cyber attack, (see appendix for recommendations made from report). “51 existing staff … [That] will grow to about 130 over the next five years" Faulkner said, (Staff Writers 2010).The latest ‘idea’ to be proposed by the Australian government is to implement a National Filter, filtering all data before the data reaches ISPs in an attempt to end cyber crime.
In contrast, to prevent breaching of their systems companies have gone to the great lengths of hiring ‘White Hat Hackers”.
“White hat hackers, also known as ethical hackers, or white knights, are computer security experts who specialize in penetration testing, and other testing methodologies, to ensure that a company's information systems are secure.” (Wikipedia Contributors4 2010)
However companies in this day and age want more. They want White Hat Hackers with abilities to prevent breaching of their systems by black and grey hat hackers to ensure full security of all computerized sections of the Company.
Companies have also upgraded physical security, such as camera security, security guards, BIOS password security, encryption methods, firewall setup, anti-virus security personnel, (Kevin Fenzi, Dave Wreski 2004). Some have also gone to lengths such as biometrics, employee education internal company filters, secured LAN and wireless networks and intrusion detection systems.
Not too long ago, companies united with computer crime squads and government task forces with the objective to catch cyber-criminals on a national basis; squad units such as Australian High Tech Crime Centre (AHTCC) under the Australian Federal Police (AFP).
Penalties Imposed by Australian Law for Cybercrime
Possession of Data with Intent:
The maximum penalty is three years imprisonment.
Supplying Data with Intent:
The maximum penalty for the offence of producing, supplying or obtaining data with intent to commit serious computer offence is three years imprisonment.
Unauthorized Access of Restricted Data:
The maximum penalty for the offence of unauthorized access or modification of restricted data held in computer is two years imprisonment.
Unauthorized Access with Intent:
The maximum penalty for the offence of unauthorized access, modification or impairment with intent to commit serious indictable offence is the same as that which is applicable if the person had committed, or facilitated the commission of, the serious indictable offence in this jurisdiction.
Unauthorized impairment of electronic communication to or from a computer:
The Maximum penalty for the offence of unauthorized impairment of electronic communication is ten years imprisonment.
Unauthorized Modification Of Data:
The Maximum penalty for the offence of unauthorized modification of data with intent to cause impairment is ten years imprisonment.
(Anonymous3 2010)
Weaknesses currently existing in Australian Cyber law
"Cybercrime laws haven't kept pace with technology," a spokesperson for the federal Justice Minister, Senator Chris Ellison, told ZDNet. "Obviously there have been significant developments with computer technology and the Internet and we need modern rules to attack the modern cyber crime that is occurring." (Rachel Lebihan 2001)
Australia's decade-old cybercrime laws were overhauled and replaced by the Cybercrime Act 2001, nine years ago. Cybercrime laws and penalties have once again been left unchanged for close to a decade now. Not keeping pace with developing technologies and the growth of underground cybercriminal hordes. (Rachel Lebihan 2001)
Not updating the Cybercrime Act of 2001 has subsequently left sentencing times of cyber felons extremely low when compared to the felony they have committed. On 27th January 2009, two hackers were sentenced in court, the first to two years in prison and the other 18 months, for breaking into millions of computers worldwide and using the hijacked systems in online crimes. In both cases the sentences equaled the time the perpetrators had already served, allowing them back onto the streets the moment after the court had ordered them to pay a fine of 13000 Euros altogether.
(Joris Evers 2007)
Also, Jeffrey Lee Parson pleaded guilty on the 10th of August 2004, to unleashing parts of the MSBlast worm attack that wreaked havoc six years ago.
“the [MSBlast] worm checks your system clock and if it's August 16 through December 31, it will launch a denial-of-service attack against Windowsupdate.com," said Taylor, vice president of technology at Web monitoring firm Keynote Systems, "There are two possible effects. If you're a home user, all your bandwidth will be used up for the attack. Secondly, your Internet provider may disconnect you from the Internet to protect themselves." http://forums.gamershell.com/showthread.php?2625
Jeffery was 19 years old, and was sentenced to between 18 and 37 months. Compare Parson's sentence with the penalty of 38 months in jail which is charged to those caught with marijuana. These people cause no property damage and harm nobody apart from themselves. Parson could be serving more time if he had simply stolen a neighbour's car on a whim. (Declan McCullagh 2004)
This ignorance of both the court judges allows cybercriminals and civilians to think cyber felonies committed in Australia have somewhat little or no consequences. Can an increase be expected in cybercriminals? You tell me.
On a different note, Australia has not yet agreed to sign the Council of Europe Cybercrime Convention, which would provide greater assistance to Australian law enforcement for serious cases of cybercrime where overseas based law enforcement assistance was required. If this were to be agreed to it would enable law enforcement to investigate and prosecute those within Australia who commit cybercrime internationally and those who commit are on international soil but committed a cybercrime in Australia.
Not only is that a weakness, a loophole for cybercriminals to escape accusations, charges or even a portion of jail time, cybercriminals can, in defence to the felony carried out, plead that they were threatened or pressured and/or it was a necessity to carry out the felony. This could have the potential to decrease the sentencing of the perpetrator or even let them back in to the World Wide Web.
Another weakness brought into the spotlight on theage.com, by Carmel Edgan (March 7, 2010), is that police officers presently are ignoring cybercrimes reported , simply because they are untrained in that area and do not know what to do.
''I would average one call every 14 days from a mother trying to report cyber-bullying or grooming [to police] only to be told 'it's not our problem' and to go to the federal authorities,'' said former cyber-safety project officer Susan McLean. ''Most Victorian police officers have no knowledge of these crimes or how to deal with them.'' (Carmel Edgan 2010)
What proposed changes are being or should be suggested to overcome these loopholes
Earlier this year, news broke out that the Australian Government ‘considering’ acceding to the Council of Europe Convention on Cybercrime of 2004. This international treaty is designed to facilitate the identification, extradition and conviction of cybercriminals around the world, assisting in the continuous battle to exterminate Cybercrime from the face of the Earth. But what has changed that the government is considering acceding to it 6 years down the track?
(Liz Tay 2010, Karen Dearne 2010, Renai LeMay 2010, TrevorClarke 2010)
Other than this hearsay, presently, there is no news on what is being done about the previously stated weaknesses in the Australian Cyber Law.
As for proposed changes to improve these weaknesses:
- Penalties should be changed to keep pace with changing technologies and techniques by which cyber felonies are executed
- Officers should be trained to handle cybercrimes of more frequent occurrences in local societies, such as sexting, stalking or harassment and bullying, and also be trained to relay crucial cybercrime information to the relevant organisation/s, such as receiving information of a bank robbery taking place using the internet
- Cybercrime act of 2001 be updated and be kept updated at least every 2-5 years.
“With the expeditious rate of advances in technology, coping with those classified as computer criminals who are always one step ahead, is virtually impossible. They may patch up faults in previous systems, however do not recognise faults in latest systems until it’s too late.” (Anonymous4 Year Unknown)
Chances of a computer criminal being caught and prosecuted
“A small number of all computer crimes are detected. Of these only 12 percent are reported to the authorities and only 3 percent of offenders go to jail. The chance of a computer criminal being caught and going to jail is approximately one in twenty-seven thousand.“, Introduction to Private Security fifth edition By Kären M. Hess 1996, updated 2009.
The use of computers worldwide has increased astronomically over the last fifteen years. However because the laws, penalties and steps being implemented by the government, allowing for jailing 1 in 27000 computer criminals, it has been anticipated that computer crime’s pilfering may eventually reach $50 billion per year.
“If current attitudes and approaches to dealing with the problem by government and industry do not change and improve, then gains in building an online economy, through the provision of new businesses, services and the physical infrastructure, will provide little benefit to our citizens, communities and economies. Rather, the online information and service economy will simply provide an opportunity for cyber criminals to prosper at our expense with relative impunity. Indeed, the harm to our citizens, communities and economies, could be far more reaching and serious than many realize.”
Reference List
Anonymous1, Year Unknown. Computer Crime, [Online]. Available at: [accessed 12 June 2005].
Peter Guerra, 2009. Computer Crime How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession, [Online]. Available at: http://www.blackhat. com/presentations/bh-usa-09/GUERRA/BHUSA09-Guerra-EconomicsCyberCrime-PAPER.pdf [accessed 12 June 2005].
Wikipedia Contributors, 2010. IPhone, [Online]. Available at: [accessed 12 June 2005].
Nicolas Seriot, 2010. iPhone Privacy, [Online]. Available at: [accessed 12 June 2005].
Ellinor Mills, 2010. Researcher warns of risks from rogue iPhone apps, [Online]. Available at: [accessed 12 June 2005].
Wikipedia Contributers2, 2010. IPad, [Online]. Available at: [accessed 12 June 2005].
Wikipedia Contributers3, 2010. Radio-Frequency Identification, [Online]. Available at: [accessed 12 June 2005].
Anonymous2, Unknown Year. [Online – However is now presently offline]. Available at: [accessed 12 June 2005].
Andrew E. Kramer, 2007. An online bank heist casts light on shady world of hackers, [Online]. Available at: [accessed 12 June 2005].
Tom Espiner, 2007. Swedish bank hit by 'biggest ever' online heist, [Online]. Available at: [accessed 12 June 2005].
International Private & Funds, 2007. Nordea Annual Report 2007, [Online]. Available at: [accessed 12 June 2005].
Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel, 2004. The Economic Impact of Cyber-Attacks, [Online]. Available at: [accessed 12 June 2005].
Jonathan Listers, 2010. Impacts of Computer Cyber Crime, [Online]. Available at: [accessed 12 June 2005].
Staff Writers, 2007. Defence Opens Canberra cyber security centre, [Online]. Available at: [accessed 12 June 2005].
Wikipedia Contributers4, 2010. White Hat, [Online]. Available at: [accessed 12 June 2005].
Kevin Fenzi, Dave Wreski, 2004. Physical Security, [Online]. Available at: [accessed 12 June 2005].
Anonymous3, 2010. [Online]. Available at: Computer Offences [accessed 12 June 2005].
Rachel Lebihan, 2001. Australian cybercriminals facing stiffer penalties, [Online]. Available at: [accessed 12 June 2005].
Joris Evers, 2007. Dutch botnet hackers sentenced to time served, [Online]. Available at: [accessed 12 June 2005].
Declan McCullagh, 2004. Punishment fails to fit the cybercrime, [Online]. Available at: [accessed 12 June 2005].
Carmel Edgan, 2010. Cybercrim Cases Ignored by Untrained Polic, [Online]. Available at: [accessed 12 June 2005].
Liz Tay, 2010. An online bank heist casts light on shady world of hackers, [Online]. Available at: [accessed 12 June 2005].
Karen Dearne, 2010. Australia to sign Global Treaty to Combat Cybercrime, [Online]. Available at: [accessed 12 June 2005].
Renai LeMay, 2010. Australia to sign Cybercrime Treaty, [Online]. Available at: [accessed 12 June 2005].
Trevor Clarke, 2010. Australia Join European Cybercrime Convention, [Online]. Available at: [accessed 12 June 2005].
Anonymous4, Unknown Year. Computer and Cost [Online]. Available at: [accessed 12 June 2005].
Appendix
Goal to prevent cyber attacks from occurring
At the national level, implement regulations which require:
1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP.
2. any organisation hosting a commercial web site (as opposed to a web page on an pre-existing web site) to be certified by a qualified and competent third party and display a certification on their web site that it adheres to various security practices which makes their web site ‘safe’ from a consumer perspective to visit.
3. Any organisation hosting, developing or maintaining a commercial web site to use qualified IT security personnel – employed directly or outsourced and for that individual to demonstrate their qualifications through appropriate security certifications.
4. Any organisation or business found to breach these regulatory requirements to suffer stiff financial penalties and be required by law to take action to become compliant within a particular reasonable time frame.
5. Require Australian registries/registrars to follow a Code of Conduct adopting the APWG Best Practice Guide.
6. Require network level secure protocols to be implemented as broadly as possible by network owners in Australia and anyone operating under the .au ccTLD (eg, DNSSEC, IPSec, SBGP, etc).
7. At the national level provide financial incentives for students and universities to provide access to more IT security courses.
8. At the national level provide financial/tax incentives for employers and employees to undertake further professional development in areas of information security, network security, cyber security management and obtain relevant certifications etc.
9. At the national level, ensure that anyone who sets up a business to ‘repair computers’ and ‘remove malware’ has received formal IT security training and certifications before doing so. Ensure that these certifications are displayed to enable consumers to have confidence that they are obtaining professional assistance.
10. At the national level provide financial/tax incentives for employers and employees to undertake further professional development in areas of information security, network security, cyber security management and obtain relevant certifications etc.
Medium term
11. Later, if the proposed regulations outlined in 1-4 above prove to be effective in reducing cyber attacks in Australia, extend arrangements to any public facing network systems such as routers, mail servers, domain name servers etc. It is recommended focusing on web sites and web applications primarily as they are very popular target for attack and have the greatest ability to exposing ordinary internet users to malware attacks.
12.Work with governments internationally to improve current levels of cooperation between CERTs, registrars and ISPs to mitigate identified attacks in progress in a more timely manner than current arrangements provide.
Figure 1: SPAM by botnets estimates
http://www.blackhat.com/presentations/bh-usa-09/guerra/bhusa09-guerra-
Economicscybercrime-paper.pdf
