Thought for the day: The fight against fraud

2005 is set to be a critical year for criminal activity, says Peter Dorrington

New Asset  

2005 is set to be a critical year for criminal activity, says Peter Dorrington




This year has been a busy one for fraudsters and fraud-busters alike, and 2005 looks set to be even busier. What has typified 2004 has been the increasing technical sophistication of fraudsters and their more serious and organised criminality. For example, we have seen a dramatic increase in phishing - obtaining real account details by the creation of counterfeit websites, often supported by an e-mail campaign to attract the victims.

A less direct approach has been the blackmail associated with distributed denial of service attacks on e-businesses, especially those which depend on large numbers of online transactions to make money.

The direct collection of account information - data harvesting - from businesses by staff has also risen in profile and, like phishing, this is usually a precursor to identity-based fraud.

Milestones in compliance

But the good guys have not been idle. This year saw the commencement of the chip and Pin programme in the UK. The initiative will dramatically reduce the incidence of opportunistic card crime, but at the potential cost of displacing the crime into other areas and forms. In addition, legislators and regulators are bringing greater transparency and accountability to a variety of sectors, but especially financial services.

Next year will see a lot more of the same, particularly in chip and Pin. The beginning of 2005 will see a change in the front line from banks to merchants as the roll-out nears completion. For financial services firms, important pieces of compliance legislation reach key milestones - especially in the gathering of data to support a truly "risk-based" decision-making process.

For the public sector, the Freedom of Information Act is acting as a catalyst to get real control on data held within large organisations. One by-product of all of this regulation is an increased pressure on the IT function to deliver compliance. IT directors will need to work hard to show that their part of the "people, process and technology" of effective business controls works.

Despite these initiatives, we will see an even greater exploitation of technology as fraudsters find routes through, round or under the safeguards we are putting in place.

For IT directors, 2005 will prove to be critical as businesses become more reliant on IT to provide protection from serious and organised crime - which will take a serious and organised defence. We can expect more direct attacks on technical infrastructure as well-heeled, motivated and technically competent criminals exploit vulnerabilities in operating systems, networks, databases and enterprise software.

Beware of data harvesting

Data harvesting will become commonplace as criminals become more dependant on identity theft or impersonation to carry out crimes. IT systems, particularly those in the financial services sector or those dealing with sensitive customer/supplier data, will need to be able to identify data harvesting by employees - tricky as there may be no initial loss to trigger an investigation.

In particular, we should brace ourselves for attacks against non-financial services companies, as they are seen as repositories of valuable customer information without the safeguards of sophisticated protection mechanisms.

We should also expect an increased international dimension to fraud that will prompt greater cross-border co-operation among law enforcement agencies, which will share best practice.

For example, the healthcare sector has recently established the European Healthcare Fraud & Corruption Centre, which has brought together the NHS and other European partners to combat the enormous problem of fraud in this area.

Finally, we are all going to have to think about what we are prepared to compromise to protect ourselves from criminals. Inter-agency data sharing and increased levels of scrutiny of corporate or public sector data comes at a cost - typically a loss of some privacy.

If we can balance the need for intrusion (for the sake of detection) and privacy, perhaps we can all engage in a sensible debate on this subject. The government is committed to the introduction of ID cards. What else might we be prepared to accept?

Peter Dorrington is head of fraud solutions at SAS UK & Ireland

Read more on Hackers and cybercrime prevention