The City of London’s Police Commissioner, Adrian Leppard, has been laughed at by cyber-security experts after writing an open letter to The Times this week, in which he refused to accept that police forces across the UK are struggling to get to grips with this new breed of cyber-criminals.
Leppard said that the forces are “not sitting idly by” whilst fraudsters take advantage of consumers carrying out transactions online and that the City of London is now getting its hands on tools that allow it to “properly engage” with cyber-thieves.
His comments follow a recent Home Affairs Select Committee report, which stated that the UK is losing the war on online criminal activity and said that the government is too complacent in targeting cyber-criminals. MPs recommended that a state of the art espionage response team be established so that British companies, media, and institutions can immediately report an attack and effective action be taken.
The Committee concluded that there appears to be a ‘black hole’ where e-crime is committed with impunity, and that online criminal activity which defrauds victims of money is often not reported or investigated by law enforcement.
However, Leppard argued that any victim of internet fraud is able to report directly to the Action Fraud call centre, knowing that their report will be analysed by his force’s National Fraud Intelligence Bureau and potentially used as the catalyst for an investigation by a local police force, or at the very least “to enrich the national intelligence picture”.
Andrew Kellett, security expert at analyst house Ovum, has said that the Commissioner's position is “bullish” given that current cyber-crimes are reported to the banks, not the police. What evidence does he have that they are doing anything to improve the position of the ordinary citizen, asked Kellet.
He also argued that given the cuts to resources and budgets, it is unlikely that things are going to improve anytime soon.
“I’m not convinced we are going to throw enough resources at it. Everyone is struggling with spending and everybody is likely to be under resourced for the next couple of years, given the way that budgets are going at the moment. I find it unlikely that given the number of constraints the police are under, that we are going to throw a lot more money at protecting against cyber-criminal activity,” said Kellett.
“Also, everybody seems to be measured on their success at the moment, and cyber-crime is not one of those areas where you make a lot of success headlines compared to the amount of work you have to put into it.”
Security guru Ross Anderson, researcher at the University of Cambridge, was more outspoken in comments to ComputerworldUk. He slammed current attempts by the police forces to protect against cyber-crime, claiming that placing the Met’s Police e-crime unit under the control of the Serious Organised Crime Agency (SOCA) will be a disaster.
“The Met built up a fairly reasonable electronic crime unit, but they have since been brought in under SOCA, which means, in other words, they won’t do anything useful anymore. SOCA has a terrible reputation for being as much use as a chocolate fireguard. We will have to wait and see, but I’m not hopeful,” he said.
Anderson also complained about the previous Labour government’s attempt to tackle e-crime by putting the UK Cards Association in charge of enforcement against fraud. He said that this was done to massage crime figures, because if 11,000 frauds appeared to have something in common, the UK Cards Association would report this to the police as one crime, rather than the police having to investigate 11,000 individual cases.
However, this approach has also meant that the banks are the ones in control and will only report crimes that are in their interests to do so, according to Anderson.
“The problem with this approach is that if you have a complaint against the bank, which it doesn’t want to have investigated, you are stuffed. The banks are increasingly dumping fraud costs and risks on cardholders and merchants and the police only get called in when the banks want this to happen,” he said.
“If there is a pattern of fraud that appears to be the fault of a bank, the police won’t be allowed anywhere near it. That’s a serious governance issue.”
Anderson said that the police need to see mainstream cyber-crime enforcement put through all the forces, with a central resource pool to support them. He also believes that GCHQ needs to stop scaremongering in order to receive all the cash allocated to e-crime.
“You need an enormous amount of resources put into forensics, when anyone gets arrested there are gigabytes of stuff involved. The police like the idea of having access to all your stuff online, but they aren’t willing to do the hard work, roll up their sleeves, allocate the budgets, train people to do computer forensics, and do the job properly,” said Anderson.
“But I don’t see the incentive for them to try. Cyber-crime is like child pornography, something people prefer to shout about rather than do something about. It’s a thing that you wave to get the troops in line. GCHQ waves cyber-crime to say that the government must give it more money and more control over the internet.
“But do they do anything about these problems when they have extra money and resources? No, why should they?”
Computerworld UK spoke to Danvers Baillieu, COO of Privax.com, the company behind popular VPN service Hide My Ass!, who explained that his company had been on both sides of a police investigation into cyber-crime, and that he also believes police forces to be completely ineffective.
“We have been the victim of cyber-crime, where people have used stolen credit card details to purchase our service, and then the charge has been reversed when the credit card holder has reported the fraud. We have attempted to report that to the police ourselves, which is just hopeless,” said Baillieu.
“When Leppard talks about a call centre that people can report stuff to, well we have got logs that need reporting. Are we going to ring up and recite that down the phone? He’s got rose-tinted spectacles if the thinks that’s the way to report things. The first time we tried to report something we were told to go to the front desk at Charring Cross police station, and basically they stuck our complaint in a drawer.”
“We have given up reporting these things, because they admit that if you report a few charge back offences, they aren’t going to investigate. They look at it as an industry problem and they advise that we get together with others in our industry to find a solution, but that’s not going to happen. We aren’t going to talk to other VPN providers about that, it’s a competitive industry, and that’s the police’s job!”
Baillieu believes that the police should build an industry friendly reporting system so that merchants can feed back information and all the relevant data about where charge backs have occurred, through an API. This would allow the police to spot patterns in where lots of similar fraud was taking place and could result in more organised action from the forces.
“When we get enquiries from the police asking for details of a subscriber to our VPN service that has been connected to a crime, there doesn’t seem to be any coordinated approach or pooling of resources to go after the high value, coordinated, repeat offenders,” he said.
“We aren’t talking about something that’s very difficult to build; you could do it for a few million quid. But the public sector is another issue isn’t it.”