Grappling With Crime Wave on the Web

The Web site for the European Union Bank, the world’s first offshore bank on the Internet, offered potential depositors a tantalizing feast: “total privacy” and “strict confidentiality” along with an “internationally attractive interest rate offered in the milieu of a tax-free jurisdiction.”

Attractive, indeed: The 3-year-old institution, incorporated on the Caribbean island of Antigua, offered rates up to 10 times higher than those at other banks. Millions of dollars poured in from hundreds of depositors around the world, undeterred by a warning from the Bank of England that the whole thing might be too good to be true.

Alas, London’s stodgy central bank turned out to be right. But depositors, blinded by dollar signs, continued investing right up until the two Russian-born owners disappeared last August and the European Union Bank went into receivership. Depositors who had pumped more than $10 million into the bank were left high and dry.

British authorities cite the European Union Bank as a prime example of the dangers that lie in wait for the unwary--and the greedy--who use the Internet for financial transactions. Bank scams are only one manifestation of crime on the World Wide Web.

Computer hackers regularly attack the information systems of large corporations and government agencies to commit commercial espionage, a crime that costs an estimated $100 billion a year in the U.S. alone. Drug cartels use international banking systems to launder millions of dollars in illegal profits, wiring the money in and out of legitimate businesses faster than law enforcement agencies can track it. Unscrupulous investment services reap millions of dollars in profits from the promotion of worthless stocks.

Crafty cyber-thieves have found that they can steal a lot of money with very little risk. FBI and bank security sources say that the average electronic bank theft in the United States nets about $250,000 and that only about 2% of the thieves are being caught.

Daniel Geer, an engineer for Open Market, a Cambridge, Mass., company that provides secure business access to the Internet, told a subcommittee of the U.S. House of Representatives earlier this year that stealing money by computer is far safer than holding up a bank with a gun.

About 80% of the robbers with guns wind up in prison, he said, and their average take is only about $7,500. By contrast, he cited the case of Russian computer thieves who stole $10 million from Citibank.

Hackers are typically caught only if they become too greedy, Geer said. “They start out stealing $1,000 a day and figure they can get away with $2,000 a day, and they hit some figure which sets off alarm bells.”

While the Internet is widely viewed as a key to expanding the global economy, neither governments nor private institutions have found an effective strategy for preventing an increasingly serious crime wave.

Rosalind Wright, director of the Serious Fraud Office of the London Metropolitan Police, calls the Antigua case part of “a great army of Internet banking services, linked with offshore banking with their layers of secrecy through which drug money, bribes, proceeds of other major crime and untaxed millions can be moved with ease away from the prying eyes of the authorities.”

Wright, speaking at a symposium on globalized crime at Cambridge University that attracted more than 900 delegates from 94 countries, warned of a sharp increase in various types of crime on the Internet.

At the same symposium, Raymond W. Kelly, undersecretary for enforcement at the U.S. Treasury Department, said computer criminals in cities as diverse as Palermo, Moscow, Hong Kong, Lagos, Bogota, London and New York “view crime as a true investment and export commodity and increasingly are moving back and forth between legal and illegal activity.”

U.S. Had Early Lead in Exploiting Internet

The United States seized a substantial early lead in exploiting commercial opportunities offered by the Internet. But Europe is fast becoming more competitive, and the 15-nation European Union predicts a sharp boost from the introduction of a single European currency in 1999.

Europe’s largest telecommunications firms are already increasing their Internet access services. Datamonitor, a research firm, reports that major phone companies in Belgium, Britain, Finland, France, Germany, Italy, the Netherlands, Spain and Sweden control 34% of global Internet access. Eight of nine telecommunications companies surveyed offered some kind of online services, and all nine planned to expand their services.

Dataquest, a U.S. market research group, reported recently that an estimated 82 million computers worldwide will be linked to the Internet by the end of this year--up an astounding 71% in just one year. It predicts that the figure will triple to 268 million in the next four years.

Cyber-Dilemma: Protection vs. Privacy

How can countries curb the illegal, unethical and unfair activities that now increasingly pollute the global network? And thornier still, how can they do that while protecting the privacy of Internet users?

Since the United States is the world’s biggest Internet user, it is the scene of most computer crime. It is also where the most significant regulatory efforts--and discussions about needed laws and regulations--have taken place.

The FBI is seeking legislation giving it the authority to control encryption technology, the data-scrambling techniques that enable businesses to protect the privacy of their Internet communications. The FBI argues that the same technology can be used by terrorists and drug dealers to escape detection and that U.S. encryption products should provide law enforcement officials, under warranted circumstances, with access to “keys” for decoding the messages.

Five House panels have recommended conflicting versions of legislation that would overhaul U.S. encryption policy and remove stringent export controls on encryption technology. House Rules Committee Chairman Gerald B.H. Solomon (R-N.Y.) says he won’t send a bill to the floor if law enforcement officials would have insufficient access to electronic messages.

European Commission officials oppose U.S. export controls on encryption technology and have spurned U.S. proposals that would allow law enforcement to monitor Internet communications between individuals or businesses.

Adair Turner, director of the British Confederation of Industries, said British business interests became concerned only after finally recognizing that “the technology is roaring far ahead of the legal framework” for dealing with such issues as secrecy, encryption and data protection.

Security concerns have caused some European firms to shy away from the Internet. An official of the British American Tobacco Co. in London said his firm, among many others, regards every e-mail address as a potential access point that could be penetrated by thieves looking to steal sensitive data.

Both the U.S. Commerce Department and the European Commission (the executive body of the European Union) emphasize the need for laws and rules to prevent fraud, data theft and other illegal activities. At the same time, they stress the importance of keeping global electronic networks as insulated as possible from laws or regulations that might hinder free trade or the free exchange of ideas.

While governments are occupied trying to strike a balance between those two sometimes clashing goals, online crooks are staying several steps ahead of them as they move quickly to take advantage of the rapidly developing communications technology.

“The drug kingpins can buy the very latest equipment and pay the best technicians to manipulate the Internet,” said an American diplomat in London who is an expert on computer crime. “Governments are still debating the kinds of methods, funds and resources they think should be devoted to the problem.”

Since banks and financial institutions often fail to report electronic crimes for fear of bad publicity, there is no accurate way to estimate the total take from Internet theft.

The San Francisco-based Computer Security Institution, in a survey of 536 companies, financial institutions and government agencies, found that 75% reported large monetary losses, but only 17% of the computer crimes were reported to law enforcement agencies.

The FBI estimates that computer-using thieves make off with as much as $10 billion a year in the United States alone. In the United Kingdom, the British Banking Assn. has estimated the cost of computer fraud at $8 billion a year.

“Even the most conservative estimates suggest that both the number of incidents and the dollar losses are staggering,” said Scott Charney, the U.S. Justice Department’s chief of computer crimes.

And that does not count the cost of computer espionage, which cannot be easily measured in dollars. In a survey of 428 information specialists with Fortune 500 companies, the Computer Security Institution found that 42% reported unauthorized penetration. The White House Office of Science and Technology has estimated overall losses to U.S. businesses from foreign economic espionage at nearly $100 billion a year.

Reports about the vulnerability of U.S. government computers have been just as startling. Hackers have penetrated the Web sites of several government agencies, including the Justice Department and the CIA.

Congress’ General Accounting Office reported that, in 1995 alone, the Defense Department may have experienced as many as 250,000 hacker attacks, an estimated 64% of which succeeded.

Earlier this year the U.S. Defense Science Board’s task force on information warfare predicted that, by 2005, widespread hacker attacks by crime syndicates, terrorists and foreign espionage agencies would seriously threaten U.S. information systems.

The task force described current practices and assumptions as “ingredients in a recipe for a national security disaster” and called for “extraordinary action” on an international scale.

A U.S. Federal Trade Commission official once called the World Wide Web “an ocean of knowledge with a few sharks in it.” Along with the FBI and the Securities and Exchange Commission, the FTC now warns that the number of sharks has increased sharply.

U.S. Mounts Counterattack

The United States has mounted a belated but increasingly active counterattack. Private, federal and state organizations have been monitoring the Internet for deceptive ads, consumer fraud and other unlawful activities. Private organizations are assisting government agencies in regulatory efforts.

For example, the Council of Better Business Bureaus provides for online filing of complaints and offers business and consumer alerts. Other organizations, such as the National Assn. of Insurance Commissioners and the National Assn. of Securities Dealers, have joined in the effort to monitor the Internet for illegal or unethical activities.

The FTC, which prosecutes firms and individuals using the Internet in violation of fraud and truth-in-advertising regulations that govern other media, has aggressively policed the network and identified new frauds. Earlier this year the FTC unearthed a scheme involving telecommunications marketers in emerging nations to bilk consumers around the world.

Officials said three companies based in Long Island lured online computer browsers with promises of free pornography and then hit them with exorbitant telephone charges to a phone number in Moldova, a former Soviet republic. The FTC accused the defendants of running “one of the most insidious scams” the agency had ever encountered, and a federal judge in New York ordered the operation disbanded.

The SEC has been busy bringing legal action against con artists who bilk investors and firms or individuals who offer unregistered securities for sale over the Internet.

In a typical stock fraud uncovered by the SEC, a Miami businessman, Charles Huttoe, pleaded guilty to securities fraud and money laundering in connection with an Internet stock-picking service. Huttoe and five others were charged with reaping millions by illegally driving up the price of shares in their firm and then laundering the profits.

Last year the SEC established an electronic mailbox--the “enforcement complaint center”--to be used by investors to report possible cases of security fraud.

“There exists a remarkable culture of self-policing by Internet users who resent the intrusion of crooks and thieves trying to exploit this new medium,” the SEC said. But it said many Internet users, fed up with those who abuse the system, are beginning to cooperate with authorities.

In other countries, as well as in the U.S., users policing the electronic global networks have been a big help. But nothing is more important than ongoing efforts by governments to adopt and enforce measures to curb fraud, theft of data and other illegal activities, while leaving the networks as free as possible of regulations that impinge on free trade and the free flow of ideas.

The European Commission declared in its Initiative in Electronic Commerce that international cooperation and global consensus on policing the Internet are essential.

Stanley Morris, director of the U.S. Treasury Department’s Financial Crimes Enforcement Network, agrees. “Most anti-corruption strategies are doomed to failure,” Morris said, “unless officials learn new methods to deal with criminals adept at using new technology.”