On Thursday, the 30th September 2012, Police Minister Nathi Mthethwa announced the South African Police Services (SAPS) Crime Statistics for the period between 31st March 2011 and 1st April 2012. When one listens and reads through the debates on this releases, this quote from unknown author – “Facts are stubborn things, but statistics are more pliable.” – brings solace to their pliability but still reminds us that cybercrime statistics are still not part of this release. This is a fact that will remain like a growing stubborn stain on a white cloth as we continue to see a wave of technological penetration in a form of devices and services (cloud) into our homes, workplaces, schools, churches, stadiums, shebeens, etc.. The defence goes on about how difficult it is to do cybercrime statistics based on the intricacies involved. Surely, if you can’t define it – you can’t measure it. Will measuring cybercrime in Mzantsi provide us with the basis of understanding improvements in the lives of the poor and ensuring that All People in South Africa Are and Feel Safe? Crime prevention and safety is a high priority of the SA government, and Statistics SA has begun with the Victims of Crime Survey (VOCS) 2012 to produce a VOCS series annually. Consumer fraud (26.3%) was the least likely crime to be reported, followed by robbery (excluding home robbery and carjacking) (33.1%), theft of personal property (34.4%) and assault (49.4%) in 2011. “Cybercrime” related fraud was experience due to Identity theft (10.9%) and Internet banking (3.5%).
In the quest to fill the gap left in these reports – Craig Rosewarne, MD of Wolfpack Information Risk, presented the findings of the The 2012/3 South African Cyber Threat Barometer report on Friday, the 28th September 2012. The event was hosted at Microsoft SA together with SecureData. The program was lined up with exciting speakers which included Susan Potgieter (General Manager: Commercial Crime Office – South African Banking Risk Information Centre (SABRIC)) and she talked with us about “South African banking industry’s response to the cyber threat”. This talk was preceded by Palesa Legoze (Department of Communication’s Chief Director of Cybersecurity) who shared with us how the department is addressing outcome three (3) on Safety and Security: “All People in South Africa Are and Feel Safe”.
The 2012/3 South African Cyber Threat Barometer report is a strategic public–private partnership (PPP) research project to support initiatives that wish to address the growing cyber threat facing our nation. The official sponsors of this research-The British High Commission through Tim Moody (Second Secretary, Science & Innovation) shared with us the “UK’s response to the cyber threat”. The event’s keynote titled “Connectivity, Borders and Media” by Sarah Carter – CBS News Johannesburg Bureau Chief was just impressive considering the direction she took to introduce cybersecurity issues around the world from the eyes of a journalist. Sarah has covered a wide range of news events, including South Africa’s transition to democracy, the embassy bombings in Nairobi and Dar es Salaam, and the networks 9/11 coverage from the Middle East and Asia. She has interviewed newsmakers such as Nelson Mandela, Bill Clinton, Mobutu Sese Seko and Fidel Castro
One of the videos she shared was the “Amazing mind reader” below:
The message in this video was very clear about protection of privacy and how we easily lose it through social media. Craig took us through “Take This Lollipop” – an interactive short video that turns Facebook fears into two minutes of horror. Visitors to the site are first presented with an image of a lollipop with a razor blade in it — don’t take candy from strangers, kids — and asked to grant access to their Facebook account. “Our privacy was dead a while back and will never be the same,” said the creator – Jason Zada. “Life as a whole has changed. If you look at the video, the scariest part is that your information is in the video. The piece is scary because a person is violating your privacy, not because it’s bloody or there’s anything jumping out.”
Financial Institutions Attacks
The 2012 SA Cyber Threat Barometer is a strategic public–private partnership (PPP) research project conducted by the Wolfpack Information Risk research team with the intention to provide ongoing strategic insight and opinion in support of Cabinet’s recently approved National Cyber Security Policy Framework for South Africa. In summary, this policy framework outlines policy positions that are intended to:
a) address national security threats in terms of cyberspace
b) combat cyber warfare, cybercrime and other cyber ills
c) develop, review and update existing substantive and procedural laws to ensure alignment;
d) build confidence and trust in the secure use of Information and Communication Technologies (ICTs)
e) establishing trusted forums for information sharing;
f) developing a cyber security curriculum;
g) raising cyber security awareness; and
h) encouraging the ICT security industry to increase research and development
The key issues identified by the research are:
- Denial of service (DoS), economic fraud and the theft of confidential information were cited as the main concerns for SA.
- The top cyber services targeted are internet banking, e-commerce sites and social media sites.
- Criminals are typically mainly after logon credentials, bank or credit card information and personally identifiable information (PII).
- The most common attack methods are still phishing, the abuse of system privileges and malicious code infections
- The internal monitoring of suspicious transactions and the general use of internal and 3rd party fraud detection mechanisms are still the most effective means of detecting cybercrime.
- The common top cyber vulnerabilities are:
- Inadequate maintenance, monitoring & analysis of security audit logs
- Weak application software security
- Poor control of admin privileges
- Inadequate account monitoring & control
- Inadequate hardware/software configurations
The Wolfpack research pointed out that, of the R2.65 billion lost, about 75% was recovered. “Based on the government’s average recovery rate of 75% and similar case study recoveries, the estimated loss figure would be approximately R662.5 million,” noted Rosewarne.
The figure above shows that Internet banking clearly stands out as the most targeted cyber services in SA followed by e-commerce web sites. That includes enterprise web portals (Internet facing corporate websites) which are being targeted as more organizations and systems are dependent on the Internet. Bank customers, according to SABRIC, reported phishing related losses of R92.4 million in approximately 10 000 incidents reported industry wide. A conservative loss estimate based on other known incidents, makes up the balance. With no other reliable industry stats this is considered to be the minimum loss for this sector. See other statistics in the blog: Microsoft Security Intelligence Report v13–South Africa’s Perspective
Fair enough, let us give credit to the work done by the SAPS towards the release of the Crime Statistics Overview RSA 2011/2012 so far and as W.A. Wallis defined statistics as “a body of methods for making wise decisions in the face of uncertainty.”, we also need to make wise decisions to address the negative impact Internet related crimes is having on our country’s economy. I’m talking about Cybercrime, CyberEspionage, and Hacktivism towards our government, financial institutions, online services, political organizations, law enforcement (LE), e-Commerce, etc. Let’s just focus on cybercrime for now and look at the work reported to see whether we will be able to identify the gaps. The figure above shows that bank robbery in RSA decreased by 65.7% over a period of three (3) years – an average decrease of 21.9% per annum.
The video above is showing a sting operation in a Johannesburg bank. Clearly the Law Enforcement (LE) increased the pressure on the criminals through this operations hence a possibility of a diversion. A decrease of 10.3% in bank robberies was recorded in 2011/12.
Starting in the early 90s with South Africa’s most famous heist mastermind, Collin Chauke, Robbery Cash in Transit developed into extremely violent and bloody crimes. Cash-in-transit gangs turned their crimes into high-tech operations with groups purchasing high-powered weapons from foreign arms dealers and using hijacked or stolen vehicles to ram cash vans off the road. Operation Greed, operated by the Serious and Violent Crimes Unit, was established to combat cash-in-transit heist and bank robberies with detectives working closely with the banking council and SABRIC. This has resulted with the decrease by 52.8% over a period on three (3) years – an average decrease of 17.6% per annum.
A decrease of 17.5% in robbery cash-in-transit was hence realised due to the operations of the SA Special Task Forces as per the heist video above. The headlines reads “SA bank working on bombproof ATMs” as this type of attacks are still persistent. The latest ATM Bombing was reported on the 3rd Nov 2012 and LE are searching for a group of men that allegedly bombed two ATMs at Merrivale Spar –KwaZulu-Natal during the early hours of the morning. The ATM bombings incidents from SABRIC shows a pendulum motion type of fluctuation over years.
It was reported during the Justice, Crime Prevention and Security (JCPS) cluster media briefing on the 25th June 2012 that a total of 155 cybercrime matters were finalised during the past financial year, FY11. They noted that the majority of cases appear to involve unlawful electronic fund transfers/fraud, etc. where the password of the complainant was obtained or cloned cards being used. The conviction rate on average stands at 89%. This gives hope to the fact that “cybercrime” had being measured in FY11 and hence I trust it will be included soon in the national crime statistics. Below are two videos that shows how robbers bombed an ATM and at the end of the blog the video show how they cracked an ATM in less that a minute.
The Victims of Crime Survey (VOCS) released by Statistics SA, showed that South Africans are feeling less safe in their homes despite reported decreases in house burglaries. Objectives of VOCS are to determine:
- The nature, extent and patterns of crime in South Africa, from the victim’s perspective
- Victim risk and victim proneness, so as to inform the development of crime prevention and public education programmes
- People’s perceptions of services provided by the police and the courts as components of the criminal justice system
The figure below shows the percentage distribution on how consumer fraud took place in 2011. More than a quarter (27.4%) of the selected individuals indicated that the fraud they experienced had to do with sales persons, followed by shop related fraud (24.5%) and identity theft (10.9%). The least prevalent types of fraud had to do with insurance (2.6%) and mail-orders (0.8%).
Denial of service (DoS) attacks, economic fraud and theft of confidential information were cited as main concerns for SA and top cyber services targeted are Internet banking, e-commerce sites and social media sites as per the South African Cyber Threat Barometer 2012/13 report. “Criminals are typically mainly after log-in details, bank or credit card information, and personally identifiable information,” Rosewarne explained.
While it is good to see that bank robbery and cash-in-transit has being going down due to the pressure from a collaboration of the law enforcement and financial sector, it’s evident from the Statistics SA data and the South African Cyber Threat Barometer 2012/13 report that the criminals are now focusing on the weaker link – the citizens. The year 2009 also saw an emergence of high-tech heist across the world targeting banks (see High-Tech Heist – 2,100 ATMs Worldwide Hit at Once) and we recently had our own in SA (see Can the financial sector bank on Cybersecurity?).
Output 8 of the Justice, Crime Prevention and Security talks to Cyber Crime being Combated. Cyber-security remains key priorities for JCPS as they have detrimental effect on the economy and most vulnerable people of the country. A clear view of the cybercrime statistics will help us in understanding this emerging crime in SA and enable us to plan for its reduction. Awareness, training and proper management of security controls would therefore reduce the financial impact firstly at a Corporate level, Government and ultimately then for the national economy.
The developments around the establishment of the National CSIRT by Department of Communication in partnership with members of the JCPS are very encouraging. Collaboration with private sector establishment like SABRIC, The Internet Service Providers’ Association (ISPA), Telco’s (e.g. Telkom),The Information Technology Association (ITA), etc. will help in ensuring that we have a coordinated security incidents picture for South Africa. Awareness and skill development across the board is key and it’s good to see some tertiary institution already contributing to this course. Hopefully we should be able to “define this problem so that we can measure it” and enhance the Law Enforcement capabilities to curb this scourge. We need the 1011 data as one of the sources of cybercrime information and report like “ Police to investigate poor 10111 report” should be dealt with accordingly soon.
We need to learn from international lessons quickly on taking down of botnets and start contributing effectively. A recent Microsoft’s study [PDF] behind Operation b70 found that PC consumers might be at risk of malware infection even with brand new computers, if the computers come pre-installed with counterfeit versions of Windows software. In order to improve the security of the Internet, governments and industry should engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem. These activities include detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, as well as taking additional actions to ensure that infected computers do not put other systems at risk. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.
The Internet Health Model for Cybersecurity will only work if it’s accepted by society and people are assured their privacy is protected. With that in mind, the model must empower people by developing socially acceptable cyber health policies, laws, and international agreements.
To learn more about Microsoft’s proposal, download and read Collective Defense: Applying Public Health Models to the Internet (PDF), in which Microsoft proposes government and industry take action to help mitigate cyber threats today and ensure the long-term health of the Internet as it continues to grow and evolve.