The Size and Cost of the Problem
Internet fraud and other illegal activities on the Web are seeping into every aspect of our lives. Most people have an email account, which exposes them individually to spam and malicious emails that display a compelling message to click on an attachment or a link in the body of the email. This is known as a phishing scheme, and is the most common method to infect a computer and turn it into a “Bot” for use by the perpetrator for various nefarious purposes. (A Bot is a computer or Internet device that has been infected with a program rendering it under control of a remote agent over the Internet. A BotNet is a group of Bots controlled by one culprit). According to “Hacked Again”[1], 80,000 people globally fall for Internet scams every day. In 2014, $16 billion was stolen from 12.7 million US residents[2] from identity theft alone. As Canada has a high rate of web usage, we would also have substantial daily losses.
Distributed Denial of Service (DDoS) attacks are being used increasingly with greater volume to shut down sites of organizations and countries. The object of the attacks may be for political purposes, as was the case in Estonia when the country was attacked by alleged Russian sponsors in 2007[3]. Ransomware attacks are also carried out against private organizations, which are attacked and forced to pay a ransom to either stop or mitigate the attack.
Clicking on a malicious email link can potentially infect one’s computer with a virus to gain access to bank accounts and obtain credit card information. Banks have an on-going loss to hacked credit cards, and there is a “dark market” industry providing software and hardware for use by non-programmers to gain access to our private Internet connected equipment. It is a widespread and growing industry with a large base in Russia, the CIA alleges. For instance in the US 2016 election Russian sources hacked candidate email accounts and had some influence in the election.[4]
Over the past year many major retail firms have been attacked to expose customer credit card data. For instance, Walmart reported their credit card system had been hacked in May of 2016.[5] In August, Forbes Magazine[6] reported a number of major hotel chains were hacked for credit card data. In 2016 Home Depot[7] and Target[8] were hacked. The costs of these hacks is well into the tens of millions as indicated by Home Depot’s settlement offer to customers, which totaled $19 million to compensate for credit losses.[9]
Even the police system in Ottawa was hacked a year ago.[10]
The Internet of Things (IOT) is growing with greater numbers of Internet-connected devices in homes, from printers to light bulbs to thermostats among many others. As reported by the Toronto Star [11], a hack on a company called Dyn affected major firms such as Twitter, Spotify and Reddit. Hackers used Internet-connected devices such as CCTV cameras and printers, along with personal infected computers running as Bots to shut down the firms’ Internet. The Globe & Mail [12] reporting on this stated that, “hundreds of thousands of IOT devices were used”. The same article pointed out that in four years there will be 30 billion devices connected to the Internet. The Globe stated that industry experts are suggesting that most device manufacturers pay little attention to security. They note that adding security increases the cost of manufacturing these devices, and that it is not that manufacturers themselves that bear the consequences of security breaches.
The criminal side of the industry is maturing, with specialization growing. Programmers and software experts have formed organizations to sell their product as a more secure and less risky way to make more money than doing the hacking themselves. On the “dark” Internet, software to hack computers, websites, Internet-connected devices, and hardware, such as credit card scanners, can be purchased. This has the potential to open the field to a much larger group of criminals who now do not need to be software experts, but can simply buy the automated tools to carry out their illegal activity.
Ultimately, the individual consumer pays for this fraudulent activity through higher fees and prices from the industries affected. Internet fraud and illegal activity has the potential to wreak economic and political chaos in western countries that are ignoring the problems and not updating laws and regulating the activity. However, there are potential solutions to this growing illegal activity.
What Other Countries Are Doing
Countries such as China and Saudi Arabia closely control access to the Internet by monitoring the usage of their residents. The upside of this censorship is that it is more difficult for scammers outside of their borders to infiltrate their devices. Russia, similarly, has set up a central organization to which all Internet Service Providers (ISP’s) must send a copy of all traffic (the ISPs are made to pay a fee to cover the cost.) This enables Russia to fully censor all communication, and to identify and control illegitimate traffic.
The Russian government has gone one step further with a firm in St. Petersburg, which has an allotment of over 2,000 IP addresses with which it provides hosting services to companies with no restrictions on what to do outside of Russia. This firm, Russia Business Network[13], can provide a high degree of protection for these firms from foreign attacks. This is a level of security from which no firm in the West benefits. This potentially allows firms in the business of sending malicious emails to establish Bots in the West and to hack corporate sites for financial and corporate espionage to find a safe home here.
The performance of this Russian Business Network surfaced in cases such as those reported by the CBC this past June[14]. Hackers believed to be working for the Russian government broke into the Democratic National Committee’s computer network, spied on internal communications and accessed research on presumptive Republican presidential nominee, Donald Trump, the committee and security experts.
A similar event surfaced and was reported by the BBC this past October[15]. US intelligence officials accused Russia of trying to influence the outcome of the US presidential election by deploying cyber-attacks to destabilize the political system. Concern about Russia’s increasingly aggressive use of cyberspace has also been growing in the European Union, especially after a French television channel was taken off air last year, with Russia as the source of the attack.[16]
By comparison, Canada and other western countries are perhaps implementing less robust infrastructure to curtail the burgeoning wave of internet crime. For instance, Ontario plans to introduce legislation next spring to outlaw computer “scalper bots” that scoop up huge blocks of tickets to concerts and major sporting events, forcing many customers to the more expensive resale market. .[17]
As well, as reported by the CBC[18], the CRTC has given the phone companies 90 days to stop nuisance calls from being hacked with misleading numbers as to who is calling.
Potential Solutions
The Internet is a network of communication lines joining routers which in turn connect to servers that communicate with individual users of the Internet. A message packet from Russia will travel through several routers in Europe, cross the ocean in an undersea fiber-optic cable and again is sent through various routers to arrive at a server connected to an individual user in North America. Each router sees the Internet Protocol (IP) address of the sender and the destination address. These routers are programmable and can be made to filter out data.
The key point of this is that the system within each country is owned and potentially regulated by that country’s government. Indirectly, through our Internet fees, we are paying for the hardware and software that brings us the malicious and fraudulent data.
Communication has always been regarded by governments as a powerful tool for its citizens. For instance, in the early days of radio, one had to get a radio license just to own a radio. Two-way VHF radios that allowed users to communicate over substantial distances required a license and an exam to verify adherence to operating procedures. Amateur (HAM) radio operators had to pass an exam and be licensed. They were able to communicate, in some cases if atmospheric conditions are right, around the world.
We now have the Internet, through which one can communicate around the world instantly. While this is certainly an upside, this instant communication has the potential to facilitate unwanted events, such as malicious access to financial institutions and corporate secrets. Despite this threat, there is meagre regulation.
Government Action
There is currently little economic motivation for industries to build secure products. If one’s printer or thermostat gets hacked and is used as a Bot to assist in a DDoS attack, there is no cost to the manufacturer.
As such, it must be considered that perhaps government should pass legislation to make the product supplier financially liable for illegal activity that is the result of slack security of the product.
The ISP is fully aware of the volume of traffic its clients are engaged in, yet allows it. The IP address for such ISPs should be locked out of the country or province. Once ISPs realize such clients are reducing their coverage and marketability of their services to normal clients, they will start policing the traffic. Most normal ISPs have limits on the number of emails clients can send per hour, making the broadcast of indiscriminate millions of emails unfeasible.
The purpose of proxy web sites[19], is to allow users to tour the Internet anonymously. Virtual Private Networks (VPN) are another tool name for disguising where the user is located. Normal users have no reason to use such sites, and only those who wish to conceal their IP address use them. This is a necessary tool for senders of illegal or malicious emails over the Web.
A database of proxy sites can be generated, as they do not hide their purpose. Directories of proxy sites are readily available using search engines.
Outlawing communication to and from proxy sites will potentially eliminate a major tool of undesirable traffic. We have control over routers connected to the rest of world, and their owners have to be made to filter the packets of data transmitted in and out of the country to bar proxy sites.
Regulation may be one of the key steps in preventing Internet service providers from sending data packets without the IP address of the actual sender. It appears savvy criminals are able to modify their transmissions so that it appears to come from elsewhere.
A regulation agency could be formed, which tracks criminal and malicious traffic, and maintains a list of sites that must be blocked from entering the system. This includes IP addresses of devices that participate in DDoS attacks. This would force manufacturers to take on responsibility for their products, as the device would become dysfunctional if they were hacked. Similarly, owners of devices that are identified as a source of crime would be blocked, as would Internet service providers that allow their users to send out voluminous amounts of malicious email.
Essentially, all players in the World Wide Web have to take on responsibility for stopping illicit traffic. Government regulation could be an invaluable step in the right direction. As well, a mass public education campaign on responsible Internet hygiene and best digital practices could also be another step taken to further curtail harmful Internet activity, and potentially stop malicious data reaching its targeted devices. Ultimately, some form of government legislation at the national or international levels may be created if other steps do not work. While government legislation may work for the intended purposes, history is replete with examples where such legislation is misused or has unintended and undesirable impacts. Care is warranted.
