Comment: we are losing the war on cybercrime

Wednesday 28 March 2018

Every week there's another story about a fraud involving cybercrime. Whether it's people falling for fake texts or e-mails, sensitive data being hacked or your whole system being held to ransom, today's criminals sit behind screens and keyboards.

Which makes you wonder why more controls seem focussed on traditional measures such as checking signatures, copying passports and digging out hard copies of utility bills. Express columnist, The Insider, argues we are losing the war on cyber-crime, because we are still fighting yesterday's battles.

"Smishing… dodgy texts… fake financial crime investigators…The headlines are just the tip of the iceberg: the finance industry has a major problem with cyber security.

Public warnings from the JFSC ordering islanders to contact the Police if they become aware of a theft are the equivalent of slamming the door after the horse has bolted: totally ineffectual. We are hopelessly ill-prepared to effectively respond to cybercrime, and need an educational plan to minimise the impact on the consumer.

Two types of ‘mainstream’ fraud have recently hit the press: the first stems from the boom of contactless payments, leading to a surge in bank fraud cases with nearly 1,000 reported in the UK each day. With more than £50billion of transactions using contactless payment last year alone, your guess is as good as mine as to how many are not reported.

Payments might be generally limited to £30 – high volume, low loss – but that didn’t stop more than £90million from being stolen in 2017. Banks don’t seem to view this as a priority, instead taking the view that this is a small loss given the total value of payments and convenience (efficiency for the banking system). But the problem could be set to get much worse. Banks are currently experimenting with ATMs that allow customers to withdraw larger amounts by simply tapping the machine.

The second issue to hit Jersey has been fraudsters targeting local residents by pretending to be their banks through text and email exchanges in an attempt to gather information allowing them to access their online bank accounts. Recently, £180,000 went missing from five islanders’ bank accounts in the space of just 24 hours when the fraudsters audaciously masqueraded as the banks’ very own fraud prevention team. One wonders whether others were too embarrassed to come forward.

Such cases are only going to continue to grow – it’s inevitable as banks continue to deploy technology to make customers’ lives easier and processes more efficient – so it’s therefore worth asking the question: where does my bank stand? Some will, of course, quickly and willingly respond to their loss-suffering customer, while others are definitely leaning towards blaming them for not being more careful.

What would be helpful is a consistent and clear statement of responsibility – no more blurred lines. If the consumer is deemed responsible – just like with their cash – they may take greater care. Banks could support them with education (we’ve already seen some nice adverts from Barclays), and schools themselves could do more to teach basic life skills. This seems the logical option.

Banks should take a clear public position as to whether they take responsibility, as a cost of business, or put it clearly with the customer. They should be forced to publish tables of cases and outcomes if we want the public to be properly informed.

But all of this is focused on the end consumer – let’s not forget the much greater problem of cyberattacks on finance firms.  The problem is large and growing.  Logicalis, a local IT specialist, has logged at least 124 cyber attacks in Jersey so far in 2018 and that is just one IT specialist.

Here, it is far less clear where the responsibility falls.

Firms may 'make good' with their own resources so that no client losses out, or claim on insurance (most firms include cybercrime within their insurance policies but it is not always clear if it will pay out), but cybercrime on an industrial scale – even if not visible to the public – can have a far more damaging impact: undermining the confidence of firms’ international customers, who drive our economy. Perhaps this is one of the reasons we hear so little about it.

The JFSC’s stance that firms simply 'must do more' is hopelessly ineffective. Of course they can do more, but it is impossible to prevent all attacks.

After all, the Bangladesh Bank heist of 2016 saw fraudsters successfully issue instructions via the SWIFT network at the Federal Reserve Bank of New York to withdraw $1billion. $101million was taken before further withdrawals were blocked. So the question remains: if cyber-criminals can use the SWIFT network and the US Federal Reserve system to steal from a Central Bank, what hope have we got? If they can penetrate the US Defence Department, they can penetrate any bank, trust company or financial services entity – including the JFSC.

Times have changed: firms used to avoid reporting cybercrime for fear of embarrassment. Moreover, there were concerns the authorities had a lack of interest and tools. These days, there’s no lack of reporting or interest, but the tools still aren’t there.

Jersey firms are these days concerned about reporting to the JFSC for fear of being attacked over their controls. Investigators are often under-skilled and are not operating in a framework allowing them to effectively target perpetrators – best, therefore, to shift the blame and emphasis on prevention to firms.

But it seems to me that such an approach, where authorities claim responsibility for regulating the system and attempting to make it 'fail proof', which they clearly do, but put the emphasis largely on the firms, is abrogating responsibility in this area. Perhaps because it is just too hard.

I am at a loss as to what steps should be taken in response in this 'war on cybercrime' for which the authorities clearly are not prepared. But then I’m not the one who regulates the system. That said, if I were, I would certainly put less emphasis on collecting passports – the last war – and instead push towards getting the powers to target the end criminals.

It’s obvious that there will be more large data leaks, with cybercriminals falling into two camps: mass low-volume thefts, and those who specialise in high-value industry frauds. As stated, the former is easy to solve: inform the consumer, and make it their responsibility. The latter demands our full attention as an island, as it goes to the heart of our prosperity. It might not always hit headlines, but it is here that we need the authorities to direct their energy not the tired old KYC regime."