The state of cybercrime

We need to keep ourseves safe. But who are we keeping ourselves from? Cybercrime is unsurprisingly, crime that occurs online. But what does it look like, and what’s the state of it at the moment? Adam Murphy met with Ross Anderson, Professor of Security Engineering at Cambridge University, who took him through the shifting world of cybercrime...

Ross - There were big changes in crime about 10 to 20 years ago but over the past decade, patterns of cybercrime have been remarkably stable. We did a big survey in 2011 and another survey in 2018, whose results came out this year, and we were surprised to find that the patterns were stable despite the fact that we've had a complete change in technology since the early 2010s. We're now all using phones rather than laptops to go online. Everything's become social and companies are keeping the data in the cloud, rather than on servers in their company premises. Yet the patterns of crime are the same and that's basically telling us that crime isn't so much about technology, it's about the broader stuff; the environment, the incentives, it's what the police are prepared to investigate, and the CPS is prepared to prosecute.

Adam - What does cybercrime look like? Is it just digital versions of analogue crimes?

Ross - Well there are three types of crime that you can think about that are analogue crimes that haven't changed very much at all, like tax fraud. That's technically cyber crime because you feel your tax return online and that's basically unchanged. Then there are crimes that we used to have in the analogue world which have changed the nature radically as we've gone online, such as card fraud. Fraud against people's bank accounts and credit cards used to involve things like shoulder-surfing people at ATMs or fishing credit card carbons out of bins in restaurants. Now it's mostly stuff that's done online. And the third type of online crime you get is the pure cyber crime. Things like ransomware, for example. And underpinning all this is cyber criminal infrastructure, or the botnet, made up of thousands or even millions of infected computers which send out the spam which hosts dodgy concent and so on and so forth.

Adam - Are there trends though? Even if it's remained constant, how has cyber crime changed over the years.

Ross - There's a number of changes in the ecosystem. The first is that card crime overall has about doubled in the past eight years. But the total volume and value of card payments has more than doubled, it's almost tripled. What's happening is that the card payment system is growing as the online component grows and it's also becoming more efficient. So that's a good thing. What we also see is that particularly cyber crimes have dropped away. Seven or eight years ago, you got an awful lot of spam that was trying to sell Viagra. Now Viagra is out of patent, you just buy it in the chemists so there's not a big deal anymore and so you don't get that kind of stuff. And similarly, there's not a lot of people trying to sell pirated software or movies or music because nowadays everyone just downloads music and movies and software tends to be in the cloud and free anyway.

What has replaced them are crimes involving bitcoin, for example, with dodgy Bitcoin exchanges where you're invited to take part in some scheme or another, or invest in a new coin, or invest in some high yield investment plan. And what then typically happens is that the scammers just take your money and vanish with it.

Adam - With all this cybercrime you'd imagine there'd be a lot of emphasis on enforcement. Well…

Ross - The shocking thing is this. Despite the fact that half of all acquisitive crime is now online, the total number of police officers who are involved in fighting cyber crime in Britain is somewhere between 200 and 300. That's out of a total police force of 120,000 officers. So it's given essentially no priority at all despite the fact that it's half the total.

Adam - So what can we do?

Ross - Basically it comes down to being out and arresting people. You see the typical online scam is a bit like the typical burglary. There may very well be no usable evidence but if you look closely, then in a significant minority of cases there will be some. The burglar may have picked up a paper hankie from your kitchen and blown his nose or he may have cut himself from the window as he went in or whatever. And with modern DNA and fingerprinting techniques then you've got them. Similarly, people who do online crimes are very often poor at their operational security and they leave traces back to their real names, and their real email addresses and so on. Simply because, up to now, they've been able to operate with impunity. They didn't have to learn to be careful.

Now the problem is that many police forces will say “it's not our policy to investigate frauds under £10,000”. Right? And this very rapidly becomes known to the crooks that you can go and steal an awful lot of money, in thousands pound helpings from some particular neighborhood. And the police will never get off their butts to chase you. So what's really needed here is for police enforcement to be randomised. If the police say they're always going to investigate fraud over £10,000, then if somebody starts from £900 then the police should roll some dice and investigate that crime with probability 9 percent.

And that means if anybody goes out and rips off a whole lot of students for deposits for nonexistent flats from 900 potentials, student after student, dozens, hundreds every year, then eventually the number will come up and they'll get chased. That is the way to do it.