Comments on: Cyber Crooks Leave Traditional Bank Robbers in the Dust http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/ In-depth security news and investigation Wed, 23 May 2012 04:43:41 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Joseph Concannon http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-11601 Joseph Concannon Tue, 19 Oct 2010 19:46:13 +0000 http://www.krebsonsecurity.com/?p=1609#comment-11601 Hi Folks, Reading with some interest here since we're trying to develop our focus for our December Financial Services event for InfraGard. InfraGard is a public/private initiative of the FBI www.infragard.net and the undersigned runs the NY InfraGard Members Office www.nym-infragard.us. So, why, why..why? Well, my considered opinion and years at NYPD and now with the FBI InfraGard Program places me in a position to discuss this and perhaps to add some daylight to the why's in law enforcement. First, there is a difference in NYPD Vs FBI focus. Let's face it, the NYPD has something like the 6th or 7th largest army in world. So by size the NYPD dwarfs the FBI in personnel numbers. The FBI's largest field office is here in NYC. It is the number one largest field office in the world. Some exception with the Headquarters building. NYPD’s focus is on NYC and how outside ops can impact it so far as safety and security is concerned. NYPD is looking at the NYS Penal Law. So examine it and see how it applies to your discussions and go from there. I'm sure that there are plenty at NYPD who with great delight would pursue addressing crime under NYS law. In NYS we call 911 for crimes in progress or visit a local detective squad if we have information on a crime. We do this quietly, politely and with a passion for crime control, safety and due care, not out of an eye for an eye. The FBI is a totally different animal. Yes, both are law enforcement agencies.....but you need see and understand the limited bandwidth of the FBI and the 180 or so violations that they are charged with addressing nationally and how it takes them worldwide. So you have this image of a giant funnel and only so much can fit through the tiny spout at the bottom. When you begin looking at things with this set of eyes then you can begin to understand how the FBI reacts differently then a local law enforcement agency. Remember, the FBI has national jurisdiction and when they are challenged to address an issue.....they do so with efficiency, stealth and poise so that the greatest impact can be made. While it may be true and can be argued that what’s worst a thousand cuts of the knife or a broken limb? That’s not going to get you anywhere in these discussions. Its more of the dog casing it tail again and again….oh yes and again. It really doesn’t resolve things. So the single one dollar crimes are certainly something to look at, but the big fish is always going to get the attention for national resources to be dedicated. So what can be done and what should be done? We hear much of the government should be regulating this and that and protecting all of us from the FUD……fear, uncertainty and doubt - that we hear of every day. Fraud here, Academic sites compromised for ACT or SAT scores there, another bank with customers hanging out there…..more credit exposures the list just goes on and on. Well, first safeguard your own PI. Then work on your family and friends. Unless you have the depth of Citi Group or Morgan Stanley you can’t write these losses off. So as independent citizens we need to take personal responsibility for our own PI and use of the internet smartly. Once we have accomplished this…..a long term strategic goal….then we can talk about national ID, and many other thoughtful and suggested recommendations to tighten things up. No one is going to protect you from a poor education. So don’t get behind the wheel of an automobile unless you’ve taken drivers ed, don’t operate machinery without safety equipment on and don’t go on the internet unless you know what you’re getting into and have taken some awareness course (most free) so that you can enjoy your experience. If you pull just any life saving device off the shelf and don’t examine whether its been inspected, ready for use or is just laying there by mistake because someone put the old broken one on the wrong shelf……well…..you’ve got a problem. Invest in your internet use and technology use by understanding what you’re bringing into your home/office and then calculate the risk of putting any information out onto the web at all. In the end this is all going to fall on the shoulders of YOU, the individual. Corporations pay big bucks to shield themselves from harm. What has your family invested in to shield its members from harm? Attend an awareness course in the last ten years? Ever?? Most likely not, although some most likely got the lecture at work and slept through it. Otherwise we wouldn’t be focused on it here. It’s a mistake to think law enforcement will cure the ills of society, internet related or not. They barely touch the surface of crime as it is and then only based upon citizen reports and chance observation. Those of you ready to stand up and say I’ve been not so smart and lost X number of dollars with online betting, gambling, girly web sites or some other not too smart things please do let us all know. Right now very few admit to poor use of the internet and remain quiet victims within the environment of there homes. With that said, many technology companies could do more to pour security into the early stages of development with Software and Hardware. But this will not in the end overcome the careless, abusive and sometimes completely irresponsible drive by internet users. Anti-virus vendors will have to change there approach as signature based AV is a thing of the past since virus writing is now considered an “occupation” for some world-wide. Facebook is enjoying the enlighten masses digging up contacts from yester year and plowing though the memories of a distant past. One in fourteen are on Facebook world-wide and guess what so are organized crime and the purveyors of all sorts of fraud. So what’s so new here….not much. Lastly before I go too off focus….law enforcement will do what they can with the information that they have. If you think they are ineffective….try working with them and understand prosecutions, rules of evidence and the criminal procedure law. You voted and wrote it, so you should be aware of it. If you don’t like what you and your elected officials wrote….well, that’s another discussion for another day. All the best, Joseph Concannon NY InfraGard Inc. Hi Folks,

Reading with some interest here since we’re trying to develop our focus for our December Financial Services event for InfraGard. InfraGard is a public/private initiative of the FBI http://www.infragard.net and the undersigned runs the NY InfraGard Members Office http://www.nym-infragard.us.

So, why, why..why? Well, my considered opinion and years at NYPD and now with the FBI InfraGard Program places me in a position to discuss this and perhaps to add some daylight to the why’s in law enforcement.

First, there is a difference in NYPD Vs FBI focus. Let’s face it, the NYPD has something like the 6th or 7th largest army in world. So by size the NYPD dwarfs the FBI in personnel numbers. The FBI’s largest field office is here in NYC. It is the number one largest field office in the world. Some exception with the Headquarters building. NYPD’s focus is on NYC and how outside ops can impact it so far as safety and security is concerned.

NYPD is looking at the NYS Penal Law. So examine it and see how it applies to your discussions and go from there. I’m sure that there are plenty at NYPD who with great delight would pursue addressing crime under NYS law. In NYS we call 911 for crimes in progress or visit a local detective squad if we have information on a crime. We do this quietly, politely and with a passion for crime control, safety and due care, not out of an eye for an eye.

The FBI is a totally different animal. Yes, both are law enforcement agencies…..but you need see and understand the limited bandwidth of the FBI and the 180 or so violations that they are charged with addressing nationally and how it takes them worldwide. So you have this image of a giant funnel and only so much can fit through the tiny spout at the bottom. When you begin looking at things with this set of eyes then you can begin to understand how the FBI reacts differently then a local law enforcement agency. Remember, the FBI has national jurisdiction and when they are challenged to address an issue…..they do so with efficiency, stealth and poise so that the greatest impact can be made. While it may be true and can be argued that what’s worst a thousand cuts of the knife or a broken limb? That’s not going to get you anywhere in these discussions. Its more of the dog casing it tail again and again….oh yes and again. It really doesn’t resolve things. So the single one dollar crimes are certainly something to look at, but the big fish is always going to get the attention for national resources to be dedicated.

So what can be done and what should be done? We hear much of the government should be regulating this and that and protecting all of us from the FUD……fear, uncertainty and doubt – that we hear of every day. Fraud here, Academic sites compromised for ACT or SAT scores there, another bank with customers hanging out there…..more credit exposures the list just goes on and on.

Well, first safeguard your own PI. Then work on your family and friends. Unless you have the depth of Citi Group or Morgan Stanley you can’t write these losses off. So as independent citizens we need to take personal responsibility for our own PI and use of the internet smartly. Once we have accomplished this…..a long term strategic goal….then we can talk about national ID, and many other thoughtful and suggested recommendations to tighten things up. No one is going to protect you from a poor education. So don’t get behind the wheel of an automobile unless you’ve taken drivers ed, don’t operate machinery without safety equipment on and don’t go on the internet unless you know what you’re getting into and have taken some awareness course (most free) so that you can enjoy your experience. If you pull just any life saving device off the shelf and don’t examine whether its been inspected, ready for use or is just laying there by mistake because someone put the old broken one on the wrong shelf……well…..you’ve got a problem. Invest in your internet use and technology use by understanding what you’re bringing into your home/office and then calculate the risk of putting any information out onto the web at all. In the end this is all going to fall on the shoulders of YOU, the individual. Corporations pay big bucks to shield themselves from harm. What has your family invested in to shield its members from harm? Attend an awareness course in the last ten years? Ever?? Most likely not, although some most likely got the lecture at work and slept through it. Otherwise we wouldn’t be focused on it here.

It’s a mistake to think law enforcement will cure the ills of society, internet related or not. They barely touch the surface of crime as it is and then only based upon citizen reports and chance observation. Those of you ready to stand up and say I’ve been not so smart and lost X number of dollars with online betting, gambling, girly web sites or some other not too smart things please do let us all know. Right now very few admit to poor use of the internet and remain quiet victims within the environment of there homes.

With that said, many technology companies could do more to pour security into the early stages of development with Software and Hardware. But this will not in the end overcome the careless, abusive and sometimes completely irresponsible drive by internet users.

Anti-virus vendors will have to change there approach as signature based AV is a thing of the past since virus writing is now considered an “occupation” for some world-wide.

Facebook is enjoying the enlighten masses digging up contacts from yester year and plowing though the memories of a distant past. One in fourteen are on Facebook world-wide and guess what so are organized crime and the purveyors of all sorts of fraud. So what’s so new here….not much.

Lastly before I go too off focus….law enforcement will do what they can with the information that they have. If you think they are ineffective….try working with them and understand prosecutions, rules of evidence and the criminal procedure law. You voted and wrote it, so you should be aware of it. If you don’t like what you and your elected officials wrote….well, that’s another discussion for another day.

All the best,

Joseph Concannon
NY InfraGard Inc.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: ryo http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-10702 ryo Tue, 28 Sep 2010 04:01:18 +0000 http://www.krebsonsecurity.com/?p=1609#comment-10702 I totally agree they should release the stats. I totally agree they should release the stats.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Cyber-crime figures | Panda Security Insight http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3901 Cyber-crime figures | Panda Security Insight Tue, 16 Mar 2010 12:33:49 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3901 [...] written by Brian Krebs, 9.5 million dollars were stolen from physical banks in the US in the last quarter of 2009, [...] [...] written by Brian Krebs, 9.5 million dollars were stolen from physical banks in the US in the last quarter of 2009, [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: El cybercrimen, en números | Panda Security Insight http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3898 El cybercrimen, en números | Panda Security Insight Tue, 16 Mar 2010 10:34:47 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3898 [...] a ataques de phishing y a robo de identidad mediante troyanos bancarios. Tal y como comenta Brian Krebs, el robo de bancos físicos en US en el último trimestre de 2009 fue de 9,5 millones, lo que [...] [...] a ataques de phishing y a robo de identidad mediante troyanos bancarios. Tal y como comenta Brian Krebs, el robo de bancos físicos en US en el último trimestre de 2009 fue de 9,5 millones, lo que [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Dillinger would now rob the Internet. | Cybersecurity and Internet Communications http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3890 Dillinger would now rob the Internet. | Cybersecurity and Internet Communications Tue, 16 Mar 2010 04:29:28 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3890 [...] criminals stole waaay more money from e-banking accounts than they did from brick-and-mortar [...] [...] criminals stole waaay more money from e-banking accounts than they did from brick-and-mortar [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: James R. ("Jim") Woodhill http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3860 James R. ("Jim") Woodhill Mon, 15 Mar 2010 15:42:59 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3860 Brian is correct. It was clear during the June, 2003 hearings on the identity theft provisions of the Fair and Accurate Credit Transactions Act (FACTA) that the bank executives at the witness table measured the crime in “dollars”, while the elected representatives of the people at the front of the room measured them in “victims”. To quote the Vivian Ward character in the movie “Pretty Woman”, “Big Mistake. Big, HUGE Mistake!” $25,000,000 is 250 $100,000 losses, and, as Brian has documented with the sad case of Long Island-based Little & King, a $100,000 loss is enough to *kill* a small company with a thriving business. A small- and medium-sized enterprise being murdered in over half the congressional districts in America every quarter will draw a political response. That response will come much quicker if, for some reason, this cause attracts a "lobbyist" willing to work "pro-bono"... Brian is correct. It was clear during the June, 2003 hearings on the identity theft provisions of the Fair and Accurate Credit Transactions Act (FACTA) that the bank executives at the witness table measured the crime in “dollars”, while the elected representatives of the people at the front of the room measured them in “victims”. To quote the Vivian Ward character in the movie “Pretty Woman”, “Big Mistake. Big, HUGE Mistake!”

$25,000,000 is 250 $100,000 losses, and, as Brian has documented with the sad case of Long Island-based Little & King, a $100,000 loss is enough to *kill* a small company with a thriving business.

A small- and medium-sized enterprise being murdered in over half the congressional districts in America every quarter will draw a political response. That response will come much quicker if, for some reason, this cause attracts a “lobbyist” willing to work “pro-bono”…

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: James R. ("Jim") Woodhill http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3859 James R. ("Jim") Woodhill Mon, 15 Mar 2010 15:40:39 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3859 Brian is correct. It was clear during the June, 2003 hearings on the identity theft provisions of the Fair and Accurate Credit Transactions Act (FACTA) that the bank executives at the witness table measured the crime in "dollars", while the elected representatives of the people at the front of the room measured them in "victims". To quote the Vivian Ward character in the movie "Pretty Woman", "Big Mistake. Big, HUGE Mistake!" $25,000,000 is 250 $100,000 losses, and, as Brian has documented with the sad case of Long Island-based Little & King, a $100,000 loss is enough to *kill* a small company with a thriving business. A small- and medium-sized enterprise Brian is correct. It was clear during the June, 2003 hearings on the identity theft provisions of the Fair and Accurate Credit Transactions Act (FACTA) that the bank executives at the witness table measured the crime in “dollars”, while the elected representatives of the people at the front of the room measured them in “victims”. To quote the Vivian Ward character in the movie “Pretty Woman”, “Big Mistake. Big, HUGE Mistake!”

$25,000,000 is 250 $100,000 losses, and, as Brian has documented with the sad case of Long Island-based Little & King, a $100,000 loss is enough to *kill* a small company with a thriving business.

A small- and medium-sized enterprise

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: James R. ("Jim") Woodhill http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3858 James R. ("Jim") Woodhill Mon, 15 Mar 2010 15:33:23 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3858 I think the $120 million figure includes losses (such as those from ATM card skimming) that are covered by Regulation E and therefore the banks have to eat. The $25 million figure is FDIC's Dave Nelson's number for the losses to *commercial* customers that the banks did not reimburse because the government does not (currently) compel them to do so. I think the $120 million figure includes losses (such as those from ATM card skimming) that are covered by Regulation E and therefore the banks have to eat. The $25 million figure is FDIC’s Dave Nelson’s number for the losses to *commercial* customers that the banks did not reimburse because the government does not (currently) compel them to do so.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: BrianKrebs http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3739 BrianKrebs Fri, 12 Mar 2010 17:40:09 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3739 @Lynda - I don't know where SANS got its numbers from. But I believe $120M figure you're seeing floating around is supposed to represent a cumulative number -- not just one three-month period's worth). @Lynda – I don’t know where SANS got its numbers from. But I believe $120M figure you’re seeing floating around is supposed to represent a cumulative number — not just one three-month period’s worth).

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: John T. Hoffoss http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/comment-page-1/#comment-3656 John T. Hoffoss Thu, 11 Mar 2010 17:35:21 +0000 http://www.krebsonsecurity.com/?p=1609#comment-3656 Quoting from Brian's article might help to explain why this gets ignored by the FBI: "In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone." We don't look at "cyber" crooks as "crooks!" We prepend with a statement like "real-life bank robbers," when we turn around and refer to what *are* real-life bank robbers. Steve wrote: "> It’s probably because it takes a long time for the FBI to > change direction. Thats how they missed 9/11. How about something more realistic, and to the point. Sometimes, there isn’t anything that they can do. You can’t look at every failure, no matter how big, and say 'look, they didn’t protect us'. " I don't know if the commenter Steve replied to meant the FBI should prevent this, but the investigation, follow-up and prosecution is sorely lacking. Our laws are sufficient but very few attorneys and judges understand that electronic crime isn't all that different from real-world crime, and even fewer can make the correlation necessary to help others understand that. A bank robber is someone who steals from banks. But the fact that it isn't considered robbery if a robber steals from a specific account is ridiculous. That $25 million should be reported and tracked by the FBI just like the "real" robberies are. Quoting from Brian’s article might help to explain why this gets ignored by the FBI:

“In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.”

We don’t look at “cyber” crooks as “crooks!” We prepend with a statement like “real-life bank robbers,” when we turn around and refer to what *are* real-life bank robbers.

Steve wrote:

“> It’s probably because it takes a long time for the FBI to
> change direction. Thats how they missed 9/11.

How about something more realistic, and to the point. Sometimes, there isn’t anything that they can do.

You can’t look at every failure, no matter how big, and say ‘look, they didn’t protect us’. ”

I don’t know if the commenter Steve replied to meant the FBI should prevent this, but the investigation, follow-up and prosecution is sorely lacking. Our laws are sufficient but very few attorneys and judges understand that electronic crime isn’t all that different from real-world crime, and even fewer can make the correlation necessary to help others understand that.

A bank robber is someone who steals from banks. But the fact that it isn’t considered robbery if a robber steals from a specific account is ridiculous. That $25 million should be reported and tracked by the FBI just like the “real” robberies are.

Like or Dislike: Thumb up 1 Thumb down 0
]]>