Review 2007: IT security and e-crime
Computing's review of the year looks back at the top IT security and cybercrime stories
Computer security has become a national as well as a personal problem
Security remains a constant challenge for IT managers - but increasingly computer security is becoming a government and national issue as well as identity theft, privacy and data protection become major issues.
Computing looks back at the biggest stories in security and e-crime from a busy year.
Click on the headlines to read the full story.
January
Personal details are being revealed online
The results of a survey of PC users show that 45 per cent of what we do online requires us to disclose personal or financial data.
The survey, by vendor Kaspersky Lab, shows that despite the increase in backdoor Trojans, keyloggers and internet scams such as targeted phishing attacks, web users have not been put off going online to conduct their banking, shopping and travel bookings.
The top online activities listed by users that require the disclosure of personal information were: banking (20 per cent of online activity); shopping (15 per cent); and travel booking (10 per cent).
Council modernises security systems
Hampshire County Council has introduced new security systems to improve collaboration with other local agencies such as the NHS, police and schools.
The authority installed a virtual private network using two-factor authentication technology to give thin-client access to email and back-office systems for 700 users.
Professional security accreditation moves closer
IT security experts will be able to achieve professional qualifications on a par with occupations such as accountancy and law within three years, following trials.
The government approved the creation of the Institute of Information Security Professionals (IISP) early last year and full membership trials have been completed.
Bank victim of record phishing strike
Sweden's largest bank, Nordea, has suffered the biggest internet fraud in history, it was announced today.
Over 8 million kronor (£600,000) has disappeared in three months as a result of tailor-made trojans launched by Russian criminals. Latest reports indicate that 250 customers have become victims so far.
The bank and the police have been unable to stop the attacks, but do have 121 people on the suspect list.
E-crime efforts stall over staff
Senior police officers have criticised high-tech crime measures following a Computing investigation that reveals UK forces lack specialist staff and resources.
More than half of police forces have five or fewer staff dedicated to e-crime, and three forces have none at all, despite being given greater ecrime investigation and reporting responsibilities when the National Hi-Tech Crime Unit (NHTCU) was disbanded last April.
Computing contacted every force in the UK. The vast majority of those questioned in ecrime units said paedophile and child abuse cases consume more than 75 per cent of their time. Only six constabularies mentioned working with businesses to tackle e-crime.
February
Proposals for the Metropolitan Police to co-ordinate national e-crime strategy will fail without major new funds, experts warn.
The Met last week suggested its computer crime division could plug the hole between local forces and the Serious Organised Crime Agency, which was created when the National High-Tech Crime Unit was disbanded last April.
But e-crime is not a sufficiently high priority to compete for scarce resources, says Rick Naylor, president of the Police Superintendents’ Association.
PayPal acts to stamp out phishing attacks
PayPal’s decision to introduce an optional two-factor authentication system highlights the increasing concern of banks and online payment organisations over phishing.
The amount of money lost to online banking fraud in the UK increased 55 per cent to £22.5m in the first half of 2006, according to figures from banking industry body Apacs – and all the signs indicate this amount will continue to rise.
Hackers overwhelm internet servers in huge attack
Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic yesterday in one of the most significant hacking attacks since 2002.
Experts said the attack lasted as long as 12 hours but passed largely unnoticed by most computer users. Computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital servers.
Nationwide fined for laptop theft
The financial regulator has fined the Nationwide Building Society almost £1m following the theft of an employee's laptop in August last year.
Nationwide was penalised to the tune of £980,000 for not having adequate information security procedures and controls in place, potentially exposing the society's 11 million customers to an increased risk of financial crime, said the Financial Services Authority (FSA).
March
Local police are imposing a threshold value below which e-crimes are not investigated, according to UK businesses who regularly report offences.
Lack of technical knowledge and investigation tools means police are setting informal financial limits, it emerged last week.
CBI calls for greater focus on web security
Employers’ body the CBI is calling for a national strategy to clarify where responsibility for internet security lies.
There are few clear regulations governing online retailers’ liability in protecting their customers from attacks such as phishing and identity theft. How far businesses could or should take responsibility for customers’ security problems is still an open question.
But apportioning blame for security issues needs to be done carefully, and an overarching strategy would be more effective than prescriptive regulations, CBI head of e-business Jeremy Beale told the House of Lords Science and Technology Sub-Committee last week.
Malware rises 172 per cent in 2006
The number of malware detections in 2006 increased 172 per cent from 2005, according to research by vendor PandaLabs .
Massive infections caused by a single virus have practically disappeared to be replaced by multiple variants now silently infect computers, says the firm's report.
Online banking fraud rises sharply
Online banking fraud losses have increased 44 per cent from £23.2m in 2005 to £33.5m in 2006 according to figures released by banking body Apacs today.
Total card fraud losses fell by three per cent in the past year to £428m – a decrease of nearly £80m over the past two years. This fall has been driven by a 13 per cent decrease in UK domestic fraud and the combined reduction of more than £45m in mail non-receipt and lost and stolen fraud.
Security upgrades are top IT priority
Nearly 80 per cent of large European companies cite upgrading security systems as their main IT priority this year, according to a Forrester Research report.
The analyst also found that 56 per cent of IT decision-makers working in companies with more than 1,000 employees include upgrading business continuity and disaster recovery capabilities in their top priorities in 2007.
Arcadia tightens online security
Arcadia Group, the UK’s largest clothing retailer, has overhauled internet access policies to protect systems and staff.
The company, which owns high-street chains including Topshop and Dorothy Perkins, will use the Webwasher system from Secure Computing to enforce the polices and protect itself from malware.
TK Maxx confirms theft of millions of credit card details
Retailer TK Maxx says hackers stole credit and debit card details belonging to over 45 million customers in an attack on the computer systems of its parent company TJX.
Transaction details from January 2003 to June 2004 were accessed, but the full extent of the theft is unknown, Computing revealed earlier this year.
TJX has admitted that data was accessed from its systems in Watford, Hertfordshire and Massachusetts over a 16-month period from July 2005 to December 2006.
April
One third of businesses do not report e-crime
A third of businesses do not report their information security crimes and breaches, according to research.
Interviews conducted by Infosecurity Europe with a panel of 20 chief security officers (CSOs) of large enterprises suggests that businesses are subject to attempted e-crime every day, but find it hard to establish at what point it becomes sensible to report it.
Banks’ role in reporting e-crime raises concerns
Industry experts have criticised new procedures that make banks the first point of contact for reporting online fraud.
From this week, businesses and consumers in England, Wales and Northern Ireland have to report instances of online, cheque and card fraud to their bank or building society instead of the police.
Digital forensics lack standards
Court cases involving digital evidence are at risk of collapsing because some police forces fail to check the security of computer forensics suppliers.
A Computing investigation has revealed that while some firms providing conventional forensics services must attain an ISO standard, there is no such requirement for handling digital evidence.
Barclays to tighten online banking security
Over half a million Barclays bank customers will be the first UK banking customers to be issued with handheld chip-and-PIN readers later this year to improve online security and combat identity theft.
The bank will provide standalone calculator-size two-factor authentication card readers to customers transacting online with third parties.
The bank will supply card readers to half a million of its two million online banking customers.
May
Technology experts have raised concerns about the security of the City of London’s new WiFi network.
The network, turned on last week, covers the heart of London’s financial district, serving more than 350,000 people, comprising 127 nodes, and offering 95 per cent coverage to the area.
Marks and Spencer has confirmed that a laptop containing information on 26,000 employees was stolen three weeks ago.
The laptop was taken from a printing firm that had been given the personal information in order to write to employees about pension changes
Biometric immigration live at Gatwick
The Iris Recognition Immigration System (Iris) being developed as part of the government's eBorders programme went live at Gatwick airport yesterday.
Frequent travelers to the UK who pre-register on Iris are recognised by a camera scan at immigration control and can by-pass queues.
National e-crime unit takes tentative first steps
The creation of a national e-crime co-ordination unit is getting underway following financial support from the National Policing Improvement Agency (NPIA).
But without continued central government funding the scheme will have to rely on private sector contributions, and may take longer to get up and running.
The 45-strong team will be run by London’s Metropolitan Police and will take on some of the functions of the National Hi-tech Crime Unit, which was absorbed by the Serious Organised Crime Agency (Soca) in April last year.
June
What price individual privacy...
Data collection is everywhere. There are more than four million closed circuit TV cameras in the UK, the police fingerprint database holds nearly six million sets of prints, and London’s congestion charging scheme automatically records the number plate of every car travelling into the capital.
It is not just the public sector. More than half of all UK adults have a Nectar card ¬ the loyalty scheme used by multiple outlets including Sainsbury’s and BP. Insurance firm Norwich Union has a ‘pay as you drive’ product that relies on an in-car black box to monitor vehicle use. And Google wants to use internet search histories for everything from targeted ads to personal advice.
So it comes as no surprise that two parliamentary committees are examining privacy issues.
London Stock Exchange cyber attack
The London Stock Exchange (LSE) has been hit by an attack on its website that disrupted an alerts service used by more than 14,000 private investors for more than 48 hours.
Attackers set up hundreds of thousands of erroneous alerts - using a method similar to a denial of service attack - overloading the LSE website and disrupting the service for legitimate users.
Orange fails to protect customer data
The Information Commissioner’s Office (ICO) says mobile phone company Orange has failed to protect its customer data.
The ICO found Orange processed personal information without adhering to the data protection act.
The phone company allowed members of staff to share user names and passwords when accessing the company IT system.
EU allows US to have unprecedented access to personal data
The European Union (EU) has reached an agreement to allow the US government unprecedented access to data on flight passengers and also banking details.
The first of the new agreements allows the US to retain information about passengers travelling from Europe for up to 15 years and places no limitation on what US authorities are allowed to do with the data.
July
Google moves to appease privacy watchdogs
says that its cookies, which store information about a user's internet habits on their own computer, will now automatically be deleted after two years.
The move comes after a group of European data protection watchdogs wrote to Google questioning the legitimacy of its privacy policies last month.
Internet leads to rise in fraud
Fraud levels in the UK are at record high, with the internet involved in almost all instances of fraud, according to the latest KPMG Fraud Barometer report.
In the first half of 2007, the government and businesses lost £594m to fraud, almost three times the figure recorded for the previous six months.
Newcastle City Council blunder exposes credit card details
Details of thousands of people’s credit and debit cards have been mistakenly made available on the internet after a security breach of Newcastle City Council's systems.
Up to 54,000 individual cardholders are affected. Information was placed on an open server instead of a secure network. The blunder happened five weeks ago, and no cards have yet been subject to fraud.
August
The internet is the new wild west, say Lords
The internet is a 'wild west' where criminals operate outside the law and users fear e-crime more than mugging, according to a House of Lords select committee.
And the government's laissez-faire attitude is 'inefficient and unrealistic', says the committee's report on personal internet security, published this morning.
The UK’s information security laws have come under debate across government as the issue of data protection rises up the political agenda.
A Conservative Party policy review last week recommended the repeal of the ‘expensive bureaucracy’ surrounding the Data Protection Act (DPA).
But a House of Lords committee on personal internet security has called for the government to increase the powers and effectiveness of the Information Commissioner’s Office (ICO), as well as introduce a law forcing firms to reveal breaches of data security.
September
Wireless security still being ignored
Firms are failing to secure Wifi networks, Voice over Internet technologies (VoIP) and USB storage devices even though virtually all organisations are addressing other external IT security threats.
Forty per cent of respondents to a survey by the National Computing Centre (NCC) said their wireless networks are either partially or not at all secured. And only 15 per cent have implemented VoIP security.
Just one in 10 UK merchants are compliant with payment card data security rules, leaving them open to security breaches and criminal attacks.
Only 11 per cent of retailers, financial services institutions and other businesses accepting card payments conform to the Payment Card Industry Data Security (PCI DSS) rules, according to a survey by secure transaction specialist The Logic Group.
Web site glitch exposes hotel customers' details
A glitch on the web site of hotel chain Travelodge led to names, addresses and parts of credit card numbers being accessible to other customers.
One affected site user claimed thousands of records could have been exposed. But Travelodge said that only a small proportion could have been accessed in the time that it took to fix the fault.
A customer discovered the problem by clicking on the link in a booking confirmation email and changing the booking number. The result was access to other customers’ orders showing their name, postal address and the last four digits of the credit card number.
October
Fears for e-crime unit as top cop quits post
The departure of a senior police officer central to the UK’s e-crime strategy has raised fresh concerns over the progress of plans for a national co-ordination unit.
Commander Sue Wilkinson, the Association of Chief Police Officers (Acpo) lead on e-crime, is leaving on a two-year secondment overseas and is unlikely to return to the role, Computing can reveal.
Insiders warn that crucial proposals for a National E-crime Co-ordination Unit (Necu) to plug the gaps in policing of UK cyber crime could stall as a result.
Westminster avoids fingerprints
Parliament's security advisers have abandoned the idea of using fingerprint technology to enhance the security surrounding the Commons and the Lords for fear it could pose a risk of mutilation of MPs, Peers or staff.
The authorities' fear is that potential suicide bombers would have no compunction cutting of politicians' fingers in an attempt to defeat a system which relied on automatic readers to verify passholders' identities.
Police to be assessed on e-crime response
Electronic crime is to be included for the first time in the criteria by which local police forces are assessed.
From this week, HM Inspectorate of Constabulary (HMIC) will examine whether forces have investigated the problem of computer-based criminal activity and what reporting structures are in place to focus on it.
The changes are a major step forward and will help establish a co-ordinated national response, according to Sue Wilkinson, the Association of Chief Police Officers (Acpo) lead on e-crime.
Information Commissioner welcomes data protection review
The prime minister is launching a review of information-sharing practices in the public and private sector.
And Information Commissioner Richard Thomas, who will play a key role in the initiative, has welcomed the opportunity to re-consider the UK approach to data protection.
HSBC is rolling out a real-time card fraud detection system in the UK following its successful implementation in the US.
The system will scan all HSBC’s UK card transactions and identify potentially fraudulent items in less than 30 milliseconds. In the US project, the number of transactions scanned for potential abuse increased by 87 per cent.
The bank aims to roll out the security measure for transactions involving more than 100 million credit or debit cards in more than 30 countries.
November
Cyber war moves up Nato agenda
Nato countries’ defence ministers met last week to finalise the organisation’s first policy covering cyber attacks on member states’ critical national infrastructure.
After hacking campaigns against Estonia in May, and Whitehall and the Pentagon in October, the profile of electronic warfare is on the rise.
Computer-based spying and the hacking of military systems have been a staple of conflicts since the Cold War. But the attacks are getting bigger and more organised, tilting at the age-old counter-espionage target of destabilising a country from afar.
Foreign Office breached the Data Protection Act
The Foreign and Commonwealth Office (FCO) breached the Data Protection Act after personal details of visa applicants were visible to others, the Information Commissioner’s Office (ICO) ruled today after an investigation.
UKvisas - the joint Home Office and FCO directorate responsible for visa processing – was found to be unsecure in May after some applicants found they could view each others' details.
Public concern grows over data protection
The public is increasingly aware of data protection issues, according to research from the Information Commissioner’s Office (ICO).
People now consider protecting their personal information as the second most socially important issue above the NHS, national security and environmental issues.
HMRC fiasco places data protection under the spotlight
HM Revenue & Customs’ (HMRC’s) loss of CDs containing child benefit records for 25 million people - including the bank details of 7.25 million families - is the worst data security breach in UK history.
Chancellor Alistair Darling admitted in his parliamentary statement that the situation represents an “extremely serious failure by HMRC in their responsibility to the public”.
China is spying on UK business, warns MI5
China's People's Liberation Army is conducting a concerted campaign of cyber espionage against UK businesses, the head of MI5 is warning.
Spy chief Jonathan Evans has written to financial, legal and retail firms this morning to warn of the threat and advise companies to undertake a risk assessment of their IT security defences, according to consultancy KPMG.
December
Security is not on the board
Companies are not including information security in their executive decision-making processes, leaving them exposed to the threats, according to the Ernst & Young Global Information Security Survey.
Nearly one-third (32 per cent) of security officers never meet with the board or audit committee, and more than a quarter (26 per cent ) do not report to senior management on information security compliance or incidents.
Further security breaches uncovered at HMRC
HM Revenue and Customs (HMRC) suffered seven breaches of data security since 2005, not including last month’s loss of 25 million child support records, the department’s acting chairman has admitted.
Such losses represent a “systemic failure” in security at the department, according to Dave Hartnett, who took over when Paul Gray resigned over last month’s lost discs affair.
Government policy for protecting critical businesses against electronic crime is “not fit for purpose”, according to IT security chiefs at blue-chip firms.
Despite growing concerns over cyber security - and recent MI5 warnings about Chinese-sponsored attacks on UK business - the Serious Organised Crime Agency (Soca) is watering down its focus on e-crime.
Private sector condemnation is growing. “It is utter bedlam and the current situation is not fit for purpose,” a chief security officer responsible for a major part of UK critical infrastructure told Computing.
Three million records lost in another government data scandal
The UK government has revealed that a US-based IT contractor has "lost" the records of three million British learner drivers in the latest missing data scandal to hit Whitehall.
Transport secretary Ruth Kelly was forced to confess to the second major security breach involving personal records from a government department in statement to MPs.
Security vendors team up for better product testing
A group of leading IT security vendors have teamed up to devise a new standard for testing the effectiveness of their products.
Panda, AV-Test, Symantec, Kaspersky and F-Secure have formed the Anti-malware Testing Taskforce to help users of their software to better compare one system with another.
The new methodology will be based on behavioural analysis, which replicates how a PC would deal with a threat.