July 08, 2008, 12:30 PM — In December 2006, Turkish authorities announced the arrest of Ali Y’nin and nine accomplices for bank fraud. They accused Y’nin of leading a gang that sent millions of virus-laden emails. About 11,000 of the recipients opened the email message and unknowingly infected their computers. Then when the victims used online banking services, the gang captured the passwords for those bank accounts and drained them using false identification, fake ATM cards, and Western Union money transfers.
How have we found ourselves in a world in which a small Turkish gang can drain bank accounts on such a massive scale? The police state that Y’nin and his accomplices sent 3.4 million emails and compromised about 11,000 bank accounts. That is a success rate of only 0.3%, but it is hard to imagine that Y’nin was disappointed at being able to access the bank accounts of “only†11,000 people.
Part of the answer is that because the interconnected world of computers and the internet provides many advantages to criminals, they are drawn to electronic crime. Attacks can be automated and carried out in large numbers. Imagine Y’nin attempting to perform the same fraud, but in person at bank branches. If each member of his gang tried to walk into the same bank branch claiming to be a different person each time, even a bored security guard would catch on after a while. If the gang spent all day traveling to different banks and spent one hour per account, they would be doing nothing but going from bank to bank eight hours a day for over six months. The internet makes everyone more efficient, even criminals. Perhaps especially criminals.
Although Y’nin and his gang were eventually caught, it is much harder to catch an electronic thief than a robber in the physical world. Investigating a burglary might take the police an hour or perhaps a day. An electronic break-in executed across international borders might require months or years of investigation. Only a few national police agencies take on cases that require such an investment of time and effort, whereas anyone connected to the internet can now attack computers around the world. In some of these countries, laws about electronic crimes might not be clear, or there may be no effective local law enforcement to make an arrest. Is it illegal to send email spam from China? What happens if an attacker launders his attack through a computer in Nigeria? Some large companies are dedicating resources to helping police forces investigate attacks that matter to them, but it is not clear if this strategy is a good investment. Another challenge for law enforcement is that the skills required to investigate computer crime quickly go out of date because of the rapid advance of technology. If an officer learned to develop latent fingerprints thirty years ago, that knowledge is still valuable in investigating crimes. In contrast, the ability to perform a forensic investigation of a computer that runs Windows 95 is of little use today.
Because attackers can carry out attacks in a highly automated way and because they are unlikely to ever be caught, online crime is attractive to criminals not just in Turkey, but everywhere. American brokerage houses have found themselves losing millions of dollars to schemes in which criminals use other people’s money to “pump and dump†the stock market. The scheme starts when a thief buys some thinly-traded penny stock. The thief then breaks into the victim’s bank account and uses the person’s money to buy up that stock. The stock rises in price, and the thief then sells his holdings in the now-inflated stock, leaving him much richer and the victim much poorer. (If the thief is clever, he might even set up automated sale orders. The link between the thief and the automated selling of the stock is hard to prove, as is the fact that someone gained illegal access to the victim’s account.)
