If your understanding of cybercrime comes from mainstream media reports, your head is full of rubbish. Cheap comic-book yarns bearing little resemblance to the real threats.
Indeed, the stories that get reported are chosen precisely because they can provide simple narratives and archetypical characters with clear motives, not because they’re significant battles in the perpetual cops-versus-crims war for control of the internet.
Don’t worry about tedious technical details that might help us understand the serious risks we face and how we might deal with them. Just give us more of them 90-second TV reports about heroes and villains. Preferably villains with a witty line in repartée.
The skirmish between News International and the LulzSec-Anonymous tag team was textbook. On the one side sat the evil lizard king himself, Rupert Murdoch, accused of psychologically torturing the families of innocent victims. On the other the merry pranksters of LulzSec taunted the ageing monarch with a stream of media-friendly tweets while they tore holes in his digital fortress. Anonymous was their global cheer squad.
The morality play continues with a different theme now. Alleged LulzSec hackers have been arrested. They’re just kids, really. LulzSec really was just for the laughs.
Didn’t they know their own strength? They gained power over a media empire’s internet presence, yet all they did was post their own “funny” Murdoch death hoax and, an hour later, diverted visitors to their own Twitter feed. Their threat to release thousands of News International emails never materialised.
The apparent message was that irresponsible youngsters vandalise the property of rich of men. As they always have done, And they’ll get caught.
Similarly last week’s arrest of a 25-year-old truck driver gained national attention because his alleged crimes were spun into the completely untrue “OMFG the National Broadband Network has been hacked!”
His supposed motive? He’d been turned down for IT-sector jobs and wanted to prove his skills. “The fools! I’ll show them!” is a theme familiar to any comic-book reader.
Here the apparent message is that hackers are young men with a chip on their shoulder, working alone. No real damage was done. Move along. Nothing to see here.
These stories are real, of course. But they’re not typical. Your reality has been distorted.
The typical victim of online crime is someone exactly like you.
That’s the problem, really. No disrespect, but no-one cares about you.
No-one gives a damn that someone stole $50 from you using your credit card number, hacked from an online book store. The bank paid you back, didn’t they?
No-one gives a damn that you fell for it when that perfectly legitimate website popped up a window saying your computer was infected and how, for just $29.95, you could get better protection. How stupid are you. Can’t you tell the difference between the anti-virus software you installed and some internet scam?
No-one gives a damn that you sent $8000 to that lovely Russian woman for her plane tickets and she never turned up. You’re just a stupid, lonely old fool. Who are you anyway? Nobody.
While all that’s more or less true, it misses three important points.
First, these crimes are committed on a vast scale. Criminal processes are orchestrated globally, automated, and supported by thousands of unwitting, disposable minions. If only a tiny percentage of people fall for scams, we’re still talking millions of dollars.
Second, the bad guys are good at this. Really good. Blaming the victims is inappropriate. “They had it coming to them”? Really?
Third, it all connects up. Fifty bucks went missing from your credit card precisely because the number had been stolen from a poorly-secured online store. The legitimate website popped up the message from the fake anti-virus product because it, too, was poorly secured and had been hacked automatically by software that probed a hundred thousand websites one night.
Or, in the case of identity theft, when someone takes out $50,000 of loans in your name? That happens through the gradual accumulation of personal data. Your name and email address from a list stolen from a hacked website, cross-matched with your street address from another, your date of birth from a third, and so on.
These databases can contain millions of people’s details. They’re traded in shady online markets where people buy the pieces missing from the databases they already have, merge them, refine them, mark ’em up and sell ’em on until eventually there’s enough to turn it all into a credit application. It’s then laundered though “money mules”, people recruited in the belief they’re making money at home with just a computer.
The story of this vast, global ecology of crime is both fascinating and real. So why isn’t it told?
Well, it’s a hard story to tell. Everything’s new and different. Imagine trying to tell the story a bank hold-up if you had to first explain all the pieces as if they were brand new. Bank. Money. Gun, Trigger. Balaclava, “OK, everybody lie down on the floor and keep calm.” Getaway car.
Global organised crime is a complex octopus. By the time you’ve explained the first sucker at the end of tentacle number one you’re up to the next ad break and everyone’s lost attention. Or so the theory goes.
Yet the octopus is real. And, by all accounts, growing.
My fear is that the octopus will be allowed to grow unmolested. If the story isn’t told, backed up with proper reporting of cybercrime and reliable analysis, then we’ll just keep entertaining ourselves with the LulzSec circus. And the real Bad Guys will win.
Stilgherrian is an opinionated and irreverent writer, broadcaster and consultant based in Sydney, Australia.