In search of an administrative solution
Tracy Kitten addresses in The Fraud blog the problem of money mules. Her article gives a good overview of e-fraud and phishing. She comes to the conclusion that tracking the money flow, either through the accounts of money mules or perhaps even through physical transport, is the challenge for 2011 and beyond. I totally agree, but also would like to raise some questions. Why?
Banks as victims, banks as facilitators
Banks are often seen as the victims of cyber fraud, although it is their customers’ accounts that are emptied. It may be true that banks restore the money, but also that is paid by the customers in the end. What banks do stand to lose is reputation. On the other hand, banks also play a major role in transferring the stolen money into other accounts. This means that they have, or could have, information on how and where the money was transferred to, by whom and to whom. In what way could banks assist each other, and their customers in making their systems safer? In which way can they ensure that the registration of their customers is bettered? And in which way can they assist law enforcement to catch more criminals?
Money mules as part of an eco system
Catching money mules is an art the police is getting better at, as records show. How ever, in a lot of cases these people are desperate characters in need of a fast buck or worse, just duped. Who are other people in the eco system? Behind them there is are persons recruiting the money mules on behalf of cyber criminals often in another country. In front is the cyber gang reaping the profits. It is especially with the last category that LEAs tend to be bothered by cross-border jurisdictional problems, but where banks could actually come to the rescue.
Are administrative measures a possible solution?
The cyber criminals need outlets to cash their money. This can be done in a number of ways, but there has to be an account somewhere connected to some kind of card. This is a* main spot in which the weak underbelly of the cyber gang reveals itself to the world, where the underworld has to surface in the real one. What are the chances here for banks, credit card companies and international money transfer organisations, whether digital or with offices, to make use of this soft spot? What are the possibilities to assist in stopping cyber crimes like phishing? It could be in more accurate information.
Economically the financial industries’ argument that the cost of cyber crime does not weigh against the cost of draconian protection measures may be sound. Some customers may remain easy victims, as a whole the system can still be secure enough, for now. This does however not deal with the reputation angle, nor with the trust end users have or lose in the system as a whole. The big difference may be made by putting in place sound administrative measures, which may not be so expensive. Better information on customers at financial organisations stands for a higher entrance level for criminals as well as for better intelligence for LEAs when they start a case. This could well be one of the missing puzzle pieces we are looking for in fighting cyber crime (and many other crimes for that reason). Knowing who your customer is, may just go a long way.
If the world discusses cyber security strategies, financial institutions can play a part also.
* Others are domain names, IP addresses, hosting, etc. Over these examples banks do not have influence.
Wout de Natris
Leiderdorp, 3 February 2011