Wednesday, October 17, 2012

Amending existing laws to accommodate cybercrimes, a flawed approach

Indian newspapers recently carried reports captioned “Crimes against women: Send porn MMS, emails, land in jail for 3 yrs, pay Rs 50,000 fine. Cybercrime through filming and distributing of porn mmses of unsuspecting women, have always captured newspaper headlines in India. Publicized cases have been few and convictions almost negligible.

According to these reports an amendment to the Indecent Representation of Women (Prohibition) Act 1986 was cleared by the Indian Cabinet which brought in stringent penalties for transgressors using electronic media. Until now the 26 year old act, only covered print advertisement and publications

When I read the fine print of the amendment it struck me that this was not in the least a law against cybercrime, only an amendment to include the indecent representation of women in electronic advertisements. Beyond proving how newspaper headlines can be fallacious, it amply establishes that cyber laws are daunting to enact, and far from practical implementation.

Trying to amend old laws to accommodate new behavior in the Internet era is fundamentally flawed, though it may be a quick fix.  In the past, by using print media, it was arduous for ordinary individuals to distribute indecent content to scale. Consequently, when the act was written, twenty-six years ago, it never considered this as an issue. But today, in the electronic world, equipped with a mobile phone camera and the Internet, anyone with a dirty motive or opportunity can do it. Such indecent online postings by solitary individuals like trolls, bullies, pornographers, or even cybercitizens settling scores online are commonplace.
New laws to tackle cybercrime must be written which embody the new genre of criminal behavior and cybercitizen misdemeanors.

Monday, October 15, 2012

Cyber Crime: Unsuspecting Indians fall prey to Call Fraud

The phone rang once and was instantly cut. Sixty year old Sally gave a passing glance at the missed call number which began with + 22 – her local Mumbai code and called back.  At the other end of the line, she heard the mournful shrieks of a women being beaten, and the savage voice of a man hurling constant abuses. Worried, confused and in fear that she may have received an SOS call, she asked “Who’s there, Is there a problem, Stop it”.

In the following 3-4 minutes, before she had time to think clearly, her phone conversation was cut short, due to a lack of funds. The Rs 200 ($ 4) she had recently topped up her account with, was exhausted. At the mobile store, she was informed that as she made a call to a premium rate number which charged Rs 50 per minute, her balance was consumed. There was no refund. The telecom provider was not at fault. She should have checked the number before she made the call. Only later, did she read in the national newspaper that such frauds were widespread.

As she recounted this incident to her neighbor, she asked “If the frauds were so well known should not the telecom company and the government have done something about it”.

India is a large prepaid market, and international fraudsters have conjured several tricks to coax vulnerable people into making such calls to international premium rate numbers. Calls are charged at a premium to normal calls. Such numbers are regularly used for adult sex, directory enquiries and voting for contestants during game shows.

 Fraudsters buy these premium rate numbers from international telecom companies, and earn money by sharing the revenue for calls made to these numbers. They grow their earnings by raising call volumes using automated dialers and other such schemes to dupe victims into calling these numbers. The revenue sharing arrangement, some would argue, reduces a telecom’s self motivation to check such activity, unless forced to do so by law or regulation.

The fraudster’s first objective is to dupe people into making a call to the premium rate number. They do this by making several “ ring once and cut” (missed) calls to a victims phone, thereby creating a sense of urgency  to call back, and to make the missed call number appear local by using international numbers which are similar to local codes. For example an international number +224 may be mistaken for the “022” Mumbai code, by individuals unfamiliar with international dialing.

The second objective is to try and keep the victim engaged on the call for as long a time as possible. A longer duration call results in higher revenue to the fraudster. This is usually done, by playing a recorded audio tape of a women being abused, having sex or by using a real life operator masquerade as an agent for schemes such as a lottery the victim is supposed to have won. The operator takes time to brief the victim on the win, and even notes down personal details such as his or her postal address to mail the award too. Personal information can later be used for other types of online scams.

Stolen phones are also used to call premium rate numbers.  Fraudsters usually do this immediately after the theft.  Tourists who lose their phones abroad will quickly find out that their set credit limits do not apply - due to the delay in receiving billing data from the foreign carrier. Bills may be huge.

Safety Tips to Keep in Mind to Avoid Call Fraud

1.    Do not call back on unknown international numbers. Be suspicious of “a one ring and cut” call.

2.    Disable the international dialing facility, if not needed

3.    Report a stolen phone and have the number blocked immediately

Actions Telecom operators and the Law can take

1.    Telecoms should enable international calling on request, and not by default.

2.    Telecoms should detect if premium rate numbers were used fraudulently through a study of call patterns

3.    Governments should enact strict laws and penalties to discourage such crimes

Wednesday, October 10, 2012

Loss of a personal portable electronic device

Most of us routinely carry many portable computing devices which vary in shape, colour, size and function. From expensive laptops, tablets and smartphones to cheaper eBook readers, portable hard drives and USB drives.  Invariably, some of us lose one or more of these items through theft, physical damage, electronic failure or misplacement. 

For an individual owned device, the largest cost is the replacement value of the asset.  But there are other inherent but non-tangible risks; such as the disclosure of personal data like intimate pictures and private correspondence, the potential misuse of email and social network accounts, and the access to stored business data and emails.

Being aware off and alert in the situations where the probability of losing these devices is the highest - is in itself an effective safeguard against loss. Based on statistics, theft is most likely to occur at home or from a car, physical damage through lax handling during travel, and misplacement at security checkpoints in airports, hotel rooms and in rented cars. Individuals are most vulnerable when in a hurry, have things on their mind, act carelessly or in anger and carry to many gadgets.

Safety tips that can be kept in mind are:

1.    Label the device with your name, address, email id and telephone number to assist in its return

2.    Use full disk encryption to prevent access to data - both personal and business

3.    Use strong passwords to log onto the Operating System (e.g. Windows) to delay access to email and social networking application where passwords were automatically saved by the browser. We can only delay and not prevent access, as the operating system password can be found out using password cracking tools.

4.    Take backups

5.    Use protective cases to prevent physical damage during travel

6.    Immediately change all passwords to email and social networking applications where passwords were saved by the browser. Preferably, disable the browser function which saves passwords and take the trouble to key in passwords each time.

7.    Carry fewer devices

Monday, October 8, 2012

A lesson on keeping information secret

While preaching the Sunday sermon, our parish priest gave a vivid example of how a young mother taught her ten year old son, a lasting lesson on keeping secrets.

He said “Shirley was Beth’s neighbor and her best friend.  Animatedly, over a cup of tea, at Beth’s house she poured out the problems she was facing with her young daughter. As she left, she asked Beth to keep what she told her a secret, as it would affect her relationship with her daughter, if she or others came to know.

Later, Beth realized that here ten year old son had overheard the entire conversation. She called him and said “Ryan, if Shirley had to leave her purse in our house today, would we give it to anyone or only to her”. Ryan replied, “Only to her mama”. Then Shirley said, “Today, she left something even more valuable when she shared her problems with me. We do not have the right to share them with anyone”.

In this simple way she taught her child the meaning of confidentiality.

In a similar way, we as employees share an equal, or greater, responsibility to protect corporate and customer personal data. Organizations, like individuals, have their own set of confidential and personal customer data to safeguard against loss, or theft by competitors and criminals. Companies need to keep secrets to protect business interests and keep certain decisions confidential, safeguard new product development, ensure customer data privacy and keep design secrets under wraps as long as needed

Sunday, October 7, 2012

Security helps avoid common omissions and errors in business operations

A flash crash at the National Stock Exchange in India, brought down the Nifty (stock index) by 15.5%, and shut down the exchange for a short period of time. Circuit breakers were triggered after a trader erroneously mistyped a single large order into the system - interchanging the number of shares to be sold with the value of the trade. The incident exposed two types of systemic failures – the inability to prevent erroneous trade entries of abnormally large magnitude by traders, and the failure of processes, software and systems of the exchange to swiftly freeze trade and shut down the market, once the market volatility threshold of 10% was breached.      

Most believe that the definition of “Security” in Information Security is only restricted to the set of measures an organization uses to protect against malicious activities of external agents and company employees. But, this is partly true – information security ensures not only the confidentiality, integrity and availability of information; against external threats but also from mistakes, errors, and faulty process and system design.

A good security plan and its implementation will always take into account all the potential misuse scenarios’ which have a harmful effect to an organizations reputation, assets or compliance mandates. In layman’s terms- actions both malicious and inadvertent that endangers a business. 

Most data breaches are due to simple acts of omission such as technical misconfigurations by system administrators, use of default passwords and inadequate operational checks and balances. Security, if well thought off and implemented can prove to be a lifesaver by reducing the occurrence of operational risks in an organization’s day to day operations.

The trading firm, in the above incident had to purchase the shares back at higher prices to stay in business. The cost to the company amounted to 50% of its net worth. Had the firm put in place relevant checks and balances to validate large trades, before they were keyed in the system by traders, they would have been spared the financial loss.

On a different note, a similar situation could have been arisen, if a malicious hacker or disgruntled informed employee misused the system to crash the exchange with the execution of a single large trade.  An experienced security professional would have brought in this perspective through a “misuse” scenario while designing or reviewing the design of trading processes and software, and recommended preventive controls.