DarkMarket_ Cyberthieves, Cybercops and You - Misha Glenny [16]
But after the millennium hackers, crackers and criminals began to appreciate that viruses, trojans and worms could be put to more lucrative use. The key logger was born, and it multiplied over the Internet at great speed. Once this little chap nestles inside your computer, its job is to track every stroke of your keyboard. So when you type www.hsbc.co.uk into your browser, it sends that information back to its Creator or Owner, who could be anywhere in the world. If you were then to type in your password as, say, Robinhood, the virus Commander in New Jersey, Rostock, Lilongwe or deepest Ruritania would immediately log it. Bingo! Mi casa es su casa! Or, more to the point, Mi cuenta bancaria es su cuenta bancaria!*
Just as having thousands of credit-card details and bank-account numbers sitting on your computer is not a crime, nor is storing a key-logger virus. It may be a strong indication of criminal activity, but it does not amount to a case. Ploughing through the endless files, Dawson and another colleague had to untangle the hundreds of jumbled threads.
After manually inputting several thousand account details onto an Excel spreadsheet, the police then decided to approach the banks. Eminently sensible, one might think, for after all it is the banks’ security systems that Fred Brown had breached so successfully.
Think again.
Many of Dawson’s enquiries ran into a brick wall because the banks simply did not bother to respond to his requests. The detective was pushed for time throughout the investigation, and much was wasted on futile attempts to persuade banks to cooperate.
The attitude of most banks to cybercrime is ambiguous. While writing this book, a gentleman from my bank, NatWest, called me and asked if I had made any recent purchase at a jewellers in Sofia, the capital of Bulgaria. Furthermore, he enquired whether I had spent 4,000 francs settling a bill with Swiss Telecom. I said that I had not. I was then told that my NatWest Visa card had been compromised, that I would need a new one, but that I could be safe in the knowledge that NatWest had cancelled the £3,000 for which the card had been fraudulently used. Like everyone else who goes through that experience, I was hugely relieved when the bank gently reassured me that I was not liable.
But who is actually paying for that? The bank? No, they are insured against such losses. The insurance company? No, because they set the premiums at a level that ensures they don’t lose out. So maybe it is the bank after all, given that they’re paying the premiums? Yes. But they recoup the money by levelling extra charges on all consumers. Essentially, bank fraud is paid for by all bank customers.
This is something that banks understandably do not wish to have widely advertised. Similarly, they do not like the public to learn how often their systems have been compromised by cyber criminals. Journalists find it impossible to get any information out of banks about the cyber attacks that rain down on them daily. That is understandable. What is less excusable is their frequent reluctance to work with police, in case the information be revealed in open court. By refusing to admit that their customers are victims of cybercrime, for fear of losing an edge against their competitors, banks are indirectly assisting the work of criminals.
Of course, the banks have a problem: their customers are the most vulnerable part of the networked financial system. Even the finest hackers would find cracking the computer systems of the major retail and investment banks a challenge these days. But getting into most customers’ computers and then watching them access their accounts and, indeed, playing around with the money in those accounts, is child’s play for any hacker worth his or her (although usually his) salt. How can one improve one’s customers’ online habits when the great draw of Internet banking (as with so much of our activity on the Web)