CYBER CRIME OUT OF CONTROL IN AFRICA

Complacency, Lacking of Constructive Digital Security Approach Allows Cybercrime and Phishing to Flourish

Syl Juxon Smith-BSc

AFRICA HOMELAND SECURITY INITIATIVES WITH HOME GROWN SOLUTIONS

Most areas of internet, intranet and cybercrime attacks in Africa is rising sharply year after year. This trend is partly caused by both consumer and the authorities complacency about their security, combined with more sophisticated phishing attacks been perpetrated from outside exploiting the weak security within the cyber infrastructures in every gamut of Communications, Information and technology including data storage facilities.

The figures are very alarming coming from international comprehensive reports that gathers information from publicly available sources about a variety of computer and fraud related based crimes in Africa and globally.

One notable trend is the rise of account takeover where, instead of using false IDs to open new accounts, fraudsters focus on stealing details and access codes for existing accounts of customers or clients, using a combination of phishing emails and Trojans to gather the information. This account takeover activity is rising rapidly especially in government institution were the intranet is mainly used to fast track payments and transactions.

Now that the banks are less forthcoming with credit, and doing more thorough checks [on new accounts], the fraudsters are focusing more attention on getting hold of existing bank account, credit card account, or even online trading account. There is a clear rise in account takeover fraud. More rampant is especially the ATM machines which lacks adequate and proper security systems and forensic auditing trail. Many of its crime is not taken seriously but swept under the carpets in most cases without compensation and watchdog reactions because of no financial policy dealing with this level of crime. Governments must start looking at creating cyber commissions’ to deal with overall cyber crimes and nefarious activities pertaining to ICT. It will help greatly and protects national sovereign integrity. It must be done sooner or the entire security will be compromised and confidentiality contaminated.

A case scenario from report highlighted a 132% increase in online banking fraud with losses totalling £52.5m, compared to £22.6m in 2007. The sharp rise can be mostly attributed to nearly 44,000 phishing websites specifically targeting banks and building societies in the UK alone and other European countries as well.

The cyber fraudsters and phishers are getting more sophisticated, not necessarily in technical terms, but in the content of the emails. We are seeing phishing attacks that use the names of MPs, or which pretend to be from DHL, telling you your package has not been delivered, and to click “here” for more information. We have also seen a wave of messages purporting to come from Inland Revenue, sometimes promising a tax rebate.”

By monitoring the ‘dark market’ where stolen details are traded on the Internet, reports has also detected a massive rise in activity, not only in the sale of stolen credit card details, but also login passwords. “A year ago, you’d see 50,000 credit cards numbers a month appearing in these trading sites for fraudsters. Now we see around 120,000 a month,” he said. “We are also seeing stolen login information being bought and sold. These include logins for Web email, social network sites, eBay and PayPal. A year ago you’d see between 6000 and 10,000 of these a month — now it’s 300,000.”

Many people are often less concerned about protecting their webmail login details, but these credentials can be used to find other valuable pieces of information. “The fraudsters go into those email accounts, look for any other useful information that might give them access to other accounts. They might go to other sites you use, claim their password is lost and have a one-time password sent to that email address. They will use your webmail address to try and pick up as many one-time passwords from other facilities that you use.”

One other factor contributing to the rise in cybercrime attacks, could be a certain complacency among clients, consumers and service providers. “In 2006/7, there was a lot of publicity about ID theft, and consumers became more aware, they bought shredders to get rid of confidential documents, and thought the job was done,” he said, but since then the fraudsters have adopted new techniques.

Users must be advised professionally to be proactive in taking more responsibility for their own security, especially since the crime is so hard for law enforcement to tackle.

In addition to covering financial and identity crime only, other report also tracks online harassment, computer misuse (spreading malware), sexual offences (mainly paedophiles) and land registry (switching ownership of land) and other document fraud.

Africa must hold more workshops and networking for better understanding and sharing of experiences which can pass on information’s to the less informed. This is not a climate for monopolising pertinent valuable information which can help to reduce the frequencies of attacks through ignorance.

Chat rooms and instant messaging are potential havens for online predators and opportunist on kids’ weaknesses and innocence. Unfortunately, these means of communication are so popular among kids and it is very difficult, if not impossible to ban the use of these. So to make sure that you are still safe while using chat rooms and instant messaging, it is important that you understand properly the dangers of these services and the ways to avoid them.

Important Safety Advices for Kids

•    Don’t trust anyone you meet in the chat rooms. People aren’t necessarily who they say they are online.

•    Chat rooms often ask for profiles, make sure that you don’t give personal information and leave as much blanks as you can.

•    The best way to create relationships is by meeting people personally and not in the chat rooms. In this regard, it isn’t safe to build relationships online and meet them personally afterwards.

•    Choose moderated and child-friendly rooms. Stay in public chat rooms and don’t engage in private conversation with people you don’t know. Ignore any private messages from unknown people.

•    If you entertain private chat, don’t give any personal information such as your name, phone number, address, email address, credit card or bank account information, pictures, and school details. IM softwares aren’t encrypted so sending sensitive information such as bank account or credit card numbers can be picked up by other users with the right tools.

•    If you aren’t comfortable talking to someone online, ignore his/her message. Stay away from people harassing you. Report them if necessary.

•    Talk to your parents if you have experienced unpleasant or uncomfortable conversation to others.

•    Don’t use your real name; use a nickname.

•    Don’t use your primary email; use an alternative one.

•    Don’t allow other people to view your webcam. Don’t use a webcam if unnecessary.

•    Don’t accept unsolicited files from other people. Disable automatic downloads. If you ask for a file, scan it first with your antivirus before opening.

•    Listen to your parents.

•    Don’t engage in fighting with anyone in the room.

You may not follow everything stated above but remember this: you make consequence through your actions so better be safe at all times than suffer the consequences later.

Indian Approach towards the Fight against Cyber Crime

INTRODUCTION

Internet in India is growing rapidly. It has given rise to new opportunities in every field we can think of, be it entertainment, business, sports or education. Internet also has its own disadvantages. One of the major disadvantages is Cybercrime – illegal activity committed on the internet. The internet, along with its advantages, has also exposed citizens to security risks that come with connecting to a large network. Computers today are being misused for illegal activities like e-mail espionage, credit card fraud, spam’s, software piracy and so on; criminal activities in the cyberspace are on the rise. As the cases of cybercrime grow, there is a growing need to prevent them.

Legislation   

Information Technology Act (IT Act) 2000

The government of India introduced the Information Technology Act, on 17th October 2000. Information Technology Act (IT Act) 2000, is the India’s only cyber law. The IT Act is aimed to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”.

India has done a good job by enacting a cyber law. It is the 12th country of the world having a cyber law. It covers areas like e-governance, e-commerce, cyber contraventions and cyber offences.

Information Technology ACT 2000 Effects in Combating Cyber Crime

According to Section 75 of the Act, the Act applies to any offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India. The IT Act prescribes provisions for contraventions in Chapter IX of the Act, particularly Section 43 of the Act, which covers unauthorized access, downloading, introduction of virus, denial of access and internet time theft committed by any person. It prescribes punishment by way of damages not exceeding Rs. 1 crore to the affected party. Chapter XI of the IT Act discusses the cyber crimes and offences interalia, tampering with computer source documents (Sec. 65), Hacking (Sec.66), publishing of obscene information (Sec.67), unauthorized access to protected system (Sec.70), breach of confidentiality (Sec.72), publishing false digital signature certificate (Sec.73).

The implications of IT Act 2000 provisions for the e-businesses would be that email would now be a valid and legal form of communication in India that can be duly produced and approved in a court of law. Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act. Digital signatures have been given legal validity and sanction in the Act. The IT Act also addresses the important issues of security, which are so critical to the success of electronic transactions.

One of the first cases where the accused was convicted under the IT Act provisions was the case of State of Tamilnadu V. Suhas Kutty. The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. E-Mails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. The accused was found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused was convicted and was sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence under Section 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence under Section 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/-.

Eight years have passed since the act was enacted and in these eight year’s technology has changed at a much faster pace. Though law cannot possibly be expected to keep pace with changes in technology, still there are few areas in the current cyber laws which need some attention.

Some Important Shortcomings of the Information Technology Act, 2000

Pornography

The term ‘pornography’ when used in relation to an offence is not defined in any statutes in India. But Section 67 of the IT Act lays down the law that obscenity is an offence when it is published or transmitted or caused to be published in any electronic form. The expressions, ‘publishing’ or ‘transmission’ have not been specifically defined under the IT Act.

Even the punishment for pornography is not sufficient in India and in the proposed amendment in IT Act the imprisonment is being reduced to two years from the present five year imprisonment. Though legislations worldwide contain severe provisions for child pornography there is no mention of child pornography in the Indian Act. It is interesting to note down that the Information Technology Act prohibits publishing of pornography but viewing of pornography is not an offence under the act.

Data Protection in Internet Banking

The Information Technology Act talks about unauthorized access but it does not talk about maintaining integrity of customer transactions. The act does not lay down any duty upon banks to protect the details of customers and clients. U.K has a data protection law which was enacted 10 years back that is in 1998 under which banks or any person holding sensitive information may be held liable for damages if it fails to maintain adequate security protection in respect of data.

Spamming

Recently the Government of India revealed that as much as 76 per cent of e-mails originating from India are spam’s, although the country accounts for only one per cent when compared with top 25 spam-producing nations. The business of spamming is not only lucrative but is also unregulated to a greater extent. The laws for the prevention of spam in India are missing. Even the IT Act, 2000 fails to address this issue.

USA and the European Union have already enacted anti spam legislation.

In the United States spam is legally permissible according to the CAN-SPAM Act of 2003 provided it follows certain criteria. If the spam fails to comply with any of these requirements, then it is illegal.

Article 13 of the European Union Directive on Privacy and Electronic Communications (2002/58/EC) provides that the EU member States shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by National Legislation.

Identity Theft

The IT Act, 2000 does not have any specific provision to deal with Identity theft. It is clear that Indian politicians just do not understand the problem associated with personal identity theft that India employees of outsourcing firms commit. In the face of the controversy generated over leakage of personal information of UK customers through an Indian web marketing firm, prime minister of India has asked the Information and Technology department and industry association Nasscom to consult all stakeholders and give suggestions for changes in the existing laws and, if necessary, to ensure that any breach of secrecy, illegal transfer of commercial and other privileged information and any other form of cyber crime is made a punishable offence.

These are some of the important shortcomings of the Information Technology Act, 2000. Though an amendment was proposed in the Act in 2005, the bill has still not been passed and moreover the bill also fails to address these issues and shortcomings. It seems quite evident that by the time the bill is passed, it would have become obsolete and ineffective.

Challenges to Legislative Measures

Cyber law in India is in its infancy and is struggling hard to meet the contemporary Information and Communication Technology (ICT) requirements. ICT Trends in India-2006, ICT Trends in India-2007, Cyber Security Trends-2007, etc have proved that India has not paid enough attention to the legal framework for the information society and legal enablement of ICT systems in India. To worsen the situation we have a weak cyber and ICT security in India. Cyber and ICT security in India is an ‘ignored world’ and the same is not going to improve due to the faulty cyber security strategy of India. This precarious situation has lead to an insufficient critical ICT infrastructure protection in India. The critical ICT infrastructure protection and management in India have still not got the attention of government of India and private industry players. In short, the ICT strategy of India needs rejuvenation so that we may have a sound cyber law and effective ICT and cyber security.

To compound these problems, many victims of cybercrime are unwilling to file their cases with the authorities. The true magnitudes of cybercrime, as well as demographic statistics on perpetrators and victims, are unknown because most incidents of cybercrime go unreported. The reason behind this is that the victim is either scared of police harassment or wrong media publicity. For minority and marginalised groups who already bear the brunt of media bias, reporting online harassment to the police may simply draw further unwanted attention.

The good news is that, despite these limitations, cyber crimes are detected and culprits are being punished. In October 2002, the Delhi High Court restricted a person from selling pirated Microsoft software over an Internet auction site. Some of the big cities in India where cyber crime cells do exist, there is potential for improvement. There is an immense need for training, and more cities need to have such cells.

Conclusion

There is an urgent need for unification of internet laws to reduce the confusion in their application. For e.g. for publication of harmful contents or such sites, we have Indian Penal Code (IPC), Obscenity Law, Communication Decency law, self regulation, Information Technology Act 2000 ,Data Protection Act, Indian Penal Code, Criminal Procedure Code etc but as they deal with the subject vaguely therefore lacks efficient enforceability mechanism. Due to numerous Laws dealing with the subject there lays confusion as to their applicability, and none of the Law deals with the subject specifically in total. To end the confusion in applicability of Legislation picking from various laws to tackle the problem, i would suggest unification of laws by taking all the internet laws to arrive at Code which is efficient enough to deal with all the problems related to internet crimes. Although these legislations talk about the problem but they don’t provide an end to it. There’s need for a one Cyber legislation which is co-ordinated to look after cyber crimes in all respects. With passage of time and betterment of technology in the present date, has also resulted in numerous number of Information technology related crimes therefore changes are suggested to combat the problem equally fast.

No matter how hard you try to protect your kids, they will still find a way to navigate the internet and manage to access sites that you block. And if at the moment they can’t access these sites, I say to you that it is just a matter of time before they break your security lock and proceed to their online activities without you knowing.

First of all, there is something you should know. There are many ways your kids can manage to break through the security wall of your computer. They will and they can keep finding ways as long as they see something to block their access to forbidden sites. They can use proxies, other IP address, disable security settings, and download software that can counteract the security setting.

What’s the use of web security software then?

Take note that even web filtering software manufacturers will admit that their products aren’t 100% foolproof. So if you have different security software installed on your computer, your kids can still access sites beyond the security line. Web security softwares are only effective if you use it properly and if your kids don’t know how to unlock it or use other ways to bypass your setting.

What should you do then?

If you have different security filters on your computer and still your kids are able to make access of the following sites, then you have to know which method they are using. This is the only way where you can outsmart them.

Learn more about the computer, the proxies, RDP, SSH, VNC, Google translator and Tor. These are the things that are commonly used to crack security access. Ask your kids about them. Suspect that they are bypassing your security setting if they can explain these vividly to you or if they are obviously avoiding discussing these topics.

Create access passwords so that they can’t disable your web filtering software. Change it regularly.

Most of all, you need to talk to your kids about this issue. They may resist what you say and may argue with you on this but if you talk to them good then they may reconsider. The thing is, good parenting coupled with open communication is the key to make sure that they are always safe when they are online. Try to invest in these things early and you can reduce the risk of your kids being put in danger.

Spyware, Keyloggers, Hackers, Cyber Terrorists, Cybercriminals, Cybergangs, etc. These threats are real and the fact is your computer is most likely infected already! Cybercrime is on the rise. You may not be the only one using your computer. Hackers may be using your computers and you may not even know it. Would you ever know it if your computer were taken over and being used by a hacker? Not likely. When a hacker hijacks a computer, the victim rarely knows. A computer that has been hijacked is one that is completely taken over by a hacker, or a group of hackers, to be used for their own purposes. The idea is that the real owner of the computer never knows their system has been hijacked, so the hackers can secretly use it whenever and however they want.

One of the latest hacking trends is called “Drive-by Hacking”. Popular wireless Internet access points have now become a major target for hackers. Hackers simply take their laptop computers in their cars and drive through business parks or residential neighborhoods remotely scanning for open wireless networks. This is the latest version of the drive-by garage door remote theft where criminal would use universal remote controls to open garage doors without arousing the suspicions of neighbors, police, or home security companies.

Today millions of businesses and homes have implemented wireless networks for their convenience, and, sadly, for the convenience of the cybercriminals. And they don’t even have to open your garage door to enter your home or business.

Now hackers can simply pull up outside, up to 600 feet away, and gain access to the network, the Internet, and every computer on the network. This kind of hacking has become so popular that you can even find public websites around the globe that sell maps to all the known “open” wireless networks.

Once your computer has been hijacked, the hacker claims ownership of your computer and there is little you can do unless you protect your computer in advance against this threat. In fact, in many cases when hackers have taken over a computer, they will even “heal” the computer by closing the security holes, so no other hacker can break into the computer and use it too. (Can you imagine? Criminals protect their hijacked computers from other criminals.)

Computers that have been hijacked and are under the control of a hacker are known as “zombies”. Some of the more popular uses for a zombie computer include using it to send spam emails, distribute pornography, download illegal copies of software, and to anonymously attack another computer, a business, a website, or even a government agency.

There have been many cases in the U.S. and around the world where a business or home computer has been hijacked and used for illegal purposes without the computer owner’s knowledge. These victims have had their computers used to distribute child pornography, deface websites, and even hack into government computers. In many cases, the owner of the hijacked computer (the business owner or the homeowner) has been arrested and hauled off to jail, only to be humiliated, demoralized and even convicted for crimes they didn’t commit.

See ABC’s 20/02 video about an unsuspected 16 year-old high schooler who was arrested as a child pornographer after his pc was hijacked and used to distribute child pornography. Click this link: ABC News’ 20/20 video.

Hackers are very good at hiding behind their slave or zombie computers. A hijacked computer is a hacker’s protection of anonymity. As unbelievable as it may seem, hijacked computers, zombie computers actually have a street market value in the hacker community. The better the computer and the faster the Internet connection of the slave machine, and the bigger the hard drive, the more it is worth on the market. Zombie computers are often leased out by hackers to other hackers, or even to organized crime groups, to be used for illegal purposes – without the computer owner’s knowledge. If a hacker or a cybergang can take over a hundred or a thousand computers, they have an army of computers at their disposal.

Here are some facts:

* If your computer has become a “zombie” or a “slave” to a hacker, the use of your computer could be for sale somewhere on the Internet or an auction website. Your computer’s power is valuable to hackers.

* Today, there are organizations that claim “ownership” of more than 450,000 zombie computers around the world that they use to anonymously send spam.

The best defenses are a combination of education and managed protection service. Off-the-shelve individual or combined anti-spyware, antivirus, and anti-spam software programs may not be sufficient protection, because hackers seem to stay one step of these programs. The popular off-the-shelf products offer you no personalized support. If you want help, you’ll pay for it over and over again! If you need a virus removed with these cheap programs, you’ll pay for it. You may get technical support from your PC manufacturer for security problems, but in most cases, you probably will not. Even if you do, it will likely be for a fee, and one that repeats itself should you need additional help down the road.

Because hackers will likely always be one step ahead of the security industry itself, software-based protection alone is not enough. 85% of current anti-virus users have been infected with a virus or worm! Have you ever had a virus you couldn’t get rid of? Has your computer acted funny or has it slowed way down due to a massive spyware infestation? Does your computer have a virus, spyware, malware, or hacker hiding inside? Test it now to be sure. Go to www.SayNotoHackersandSpyware.com to take a free Internet security audit to determine which trojans and hacker spyware tools might be infecting your computers.

To protect yourself, you need an Internet security team of experts making sure that you, your family, and your business computer are always safe and secure. The best protection you can have in today’s rapidly changing world of cyber-attacks is to have expert support for all your Internet security needs that will provide technical support without any hassles and without charging you extra fees. It will become even more critical than it is today as time goes on. You need to find your own personal team of experts to rely on. If you ever have a security problem, you will want to have a trusted expert you can call for professional help, without any hassles and extra costs!