Big fraud: Companies struggle to combat cyber-enemies

For most people, securing their homes from intruders involves locking doors, latching windows and perhaps switching on an alarm. But what if thieves could breach these defenses through doors and windows that connect your home with the next-door neighbor's house, or the neighbor's neighbor or, for that matter, the neighbor's neighbor's accountant, who happens to live on the other side of the world? And what if you didn't know that some of these routes leading into your house even existed?

Welcome to the business world circa this minute, an age of deepening technological insecurity in which the dark side of interconnectedness is emerging in a wave of fraud, hacking and many other kinds of cybercrime. 

As the recent attacks on Target (TGT), Neiman Marcus and other retailers make clear, the risks for companies include financial losses, reputational damage and lengthy investigations. Credit and debit card issuers, along with merchants, lost $11.2 billion in 2012 because of fraud, up nearly 15 percent from the previous year, according to The Nillson Report, a payment industry publication.

The financial impact of individual attacks is also mounting, with the number of incidents causing losses of at least $1 million reaching record highs.

Dangerous world

To be sure, computer crime is practically as old as the computer. But a host of factors are combining to raise the risks -- and the stakes -- for consumers and businesses alike.

What's changed? First, and most obviously, the virtual world continues to expand across the physical world, with the advent of social media, mobile technology, cloud computing and "Big Data" creating new vulnerabilities for covert government agencies, criminal bands and hackers to exploit.

Second, the bad guys, often operating as part of international crime rings, are smarter, better organized and willing to compare notes. The tools of the trade have also become highly sophisticated and easier than ever to procure, allowing fraudsters to execute their schemes from virtually anywhere in the world.   

"The Secret Service has observed a marked increase in the quality, quantity and complexity of cybercrimes targeting private industry and critical infrastructure," he said. "These crimes include network intrusions, hacking attacks, malicious software and account takeovers leading to significant data breaches affecting every sector of the world economy."

Fourth, companies have a hard time deterring an attack even when they do have a game plan for fighting fraud.

In part, that reflects a limitation in the approach that security companies have taken in the past in battling cyber-criminals, which is to identify known viruses, malware and other suspicious online activity. But criminal elements also have become more adept at hiding their tracks, disguising and customizing attacks in ways that make them difficult to anticipate, let alone stop once they are unleashed.

Caught napping

One thing is apparent from some of the recent incidents: no one is safe. The range of wrongdoing spans from run-of-the-mill data theft targeting isolated individuals to massive break-ins of the kind that hit Target.

Just last week, for instance, PayPal President David Marcus said on Twitter that someone had stolen his credit card information -- perhaps from a hotel or business he had visited during a recent trip to the U.K. -- and gone on a shopping spree (an incident he used to tout PayPal's services):

According to the Privacy Rights Clearinghouse, a nonprofit advocacy group, since 2005 some 663 million records have been violated in a total of more than 4,100 separate incidents. Other companies that suffered major database breaches last year include software maker Adobe, which in October saw 2.9 million customer accounts compromised, and social media company LivingSocial, where 50 million records were violated.

A more sinister invasion took place in 2010, when hackers exploited a simple design flaw in a type of video camera consumers use to monitor their homes remotely to post live feeds on the Web -- into people's homes.

"The feeds displayed babies asleep in their cribs, young children playing and adults going about their daily lives," the Federal Trade Commission said in cracking down on the camera vendor, called TRENDnet, in September. 

Widening "attack surface"

The spate of attacks in recent years reveal something else: Most companies aren't ready for them. A 2013 survey of 500 corporate executives, security experts, government staff and others by management consulting firm PwC (conducted with CSO Magazine, Carnegie Mellon University and the U.S. Secret Service) found that many business leaders lack even basic knowledge about who oversees information security for their companies.

Asked if they had methods in place to evaluate the efficacy of their security programs, a whopping 60 percent said "no" or weren't sure. 

It is the nature of business that companies struggle to keep up with changes in technology, along with the inevitable security issues that are the byproduct of innovation. And computer fraud is nothing new. In 1970, just to cite one early scam, a teller at the Manhattan branch of the Union Dime Savings Bank over three years managed to steal $1.5 million from hundreds of customer accounts by fooling the company's computer system.

What's different today is the unprecedented level of interconnection between consumers, businesses, suppliers and contractors. For companies, those myriad touchpoints -- from social media accounts, to HR databases, third-party payment-processing and customer-management systems -- represent an expanding "attack surface" for fraudsters, said Dave Burg, global and U.S. cybersecurity leader for PwC.

Clearly, the days when businesses could focus only on securing their own fortress are long gone. Today, even the humblest startup is likely to exchange sensitive information with a range of customers, business partners, suppliers and government agencies. For global corporations, the challenge is staggering given the many opportunities for such entities to mishandle confidential data or to fail to protect their own systems. 

"The reality today is that many companies rely on third parties to deliver services," Burg said. "They might rely on contractors to deliver pieces of a business process, or they could have joint-venture partners. We have a highly interconnected ecosystem where no business operates on its own."

The Christmas attack on Target, which is thought to have affected as many 110 million current and former customers, is a case in point. Security expert Brian Krebs reports that the scheme may have started when hackers infiltrated a heating and refrigeration company that did business with the retailer. Although an investigation into the breach continues, he believes that malware-infected email was sent to employees of the HVAC company, allowing criminals to gain access to Target's information systems.

Aite Group, a research and advisory firm, estimates that in early 2013 more than 150,000 new strains of malware were introduced -- every day. These include so-called keylogging attacks, such as the ZeuS Trojan malware used to steal more than $1 million from U.K. businesses and consumers in 2010, and malware that targets merchants at the point of sale.

"The technology and techniques utilized to undertake all manner of attacks are increasingly becoming commoditized," Burg said. "The barriers to entry to carry out an attack are getting lower and lower because of the commoditization of many of these kinds of tools, which are now sold on the open market."