Cybercrime: Prevention or Punishment?

Last week I needed an item at a Harbor Freight store in Austin.  Harbor Freight deals in low- to mid-priced tools imported from China, and unless you’re looking for something that will last for decades, it’s a good place to shop.  As soon as I walked in the door, one of the cash-register attendants came up to me and said, “Just to let you know, our registers are down and all we’re taking is cash right now.”  I’m one of those troglodytes (look it up) who prefers cash anyway, so this didn’t bother me other than the fact that I had to wait in a long line that was backed up because the sales clerk had to look up each item’s SKU on a handheld unit, write down the price by hand, add up the total on a calculator, and make change. When I paid for my item, the clerk asked me if I minded not getting a receipt.  I replied, “Not as long as somebody doesn’t stop me at the door for shoplifting.” 

While I was waiting in line, I saw posted next to the register a notice from Eric Smidt, Harbor Freight’s president.  It was about a recent incident of hacking that resulted in the theft of a large number of their customers’ credit-card numbers, and said that the firm was taking every possible step to deal with the problem.  Whether this issue had anything to do with their registers going down that day is unclear, but it got me to thinking about the differences between old-fashioned analog theft and cybercrime.

Now if dozens of Harbor Freight customers had been koshed on the heads as they left the stores and had their wallets taken, I bet you would have heard about it in the news.  Old-fashioned personalized one-on-one crime like that is much more likely to be reported by the injured individual, and because the criminals tend to be local, the local jurisdiction responsible has a fairly straightforward job on its hands, once the crook is identified.  But those responsible for the Harbor Freight data breach could be literally anywhere in the world that there is an Internet connection, which means just about anywhere in the world. 

Cybercrime is a lot less risky.  According to online reports, the Harbor Freight breach may have been one of 2013’s largest in terms of numbers stolen, comparable to a similar attack that netted about 2.4 million customer debit and credit card numbers.  The company found out about the attack in June, when credit-card firms began noticing a lot of fraudulent charges to accounts owned by Harbor Freight customers.  Apparently the hackers penetrated the company’s main network and gained access to data from all 400 of its retail stores.

There are several ways the criminals can profit from their ill-gotten numbers.  The retail way is to use the cards themselves to buy stuff they want.  My own credit-card number was stolen this way once, and in the list of charges that my bank seriously doubted I’d made were things like services at an upstate New York spa and jewelry charged to a Las Vegas store.  But the big money is in the wholesale underground exchange of hard cash for hot credit-card lists, and I suspect that is what the Harbor Freight crooks did with their numbers.

Because it’s so hard to catch and convict cyber criminals, most companies rely instead on anti-virus software, firewalls, and other protective measures rather than spending a lot of effort in working with law enforcement personnel to catch the perpetrators.  But a recent study by a group of researchers based in Cambridge, England points out that this may not be the most cost-effective approach. 

The study shows that the amount of money lost per person to number theivery such as occurred with the Harbor Freight customers is in the range of a few dollars per customer per year.  On the other hand, the money spent by firms on computer security measures may exceed what is lost to this type of cybercrime.  The authors say it might be cheaper overall to spend more money on tracking down the relatively small number of cyber criminals, and less on security measures.

That is good advice as far as it goes, but it neglects the hard problem of jurisdictional diversity, as you might call it.  Say you can locate the Harbor Freight perpetrators, and they turn out to live in a country that has a dysfunctional government that can’t enforce ordinary laws, let alone laws about cybercrime.  Short of mounting an armed invasion of the country to catch the crooks, a private firm or even another sovereign country has its hands tied.  Unless some effective international agreements could be made for the extradition of cyber criminals, and some uniform laws passed in every host country that makes the same actions illegal everywhere, it will continue to be very hard to punish those who steal data across international boundaries.  Look at the trouble the U. S. government has had with Eric Snowden, who committed a data breach of NSA information right here in the U. S. and then ran off with it to Russia, which has recently granted him asylum.  Once international relations and antagonisms get mixed into a criminal act, things get vastly more complicated.

Overall, we benefit greatly from the worldwide coverage of the Internet for both global commerce and less quantifiable benefits such as the freedom to communicate political and cultural ideas across boundaries.  These benefits come at a cost, however, and it looks like unless the international jurisdiction problem can be addressed more effectively than it has been in the past, we will have international cybercrime with us for the foreseeable future.  And despite Eric Smidt’s assurances, which I’m sure are sincere, the next time I go to Harbor Freight I think I’ll bring cash along.  But I think I’ll ask for a receipt.

Sources:  A report on the Harbor Freight data breach can be found at the Bank Info Security website at http://www.bankinfosecurity.com/impact-harbor-freight-attack-grows-a-5970/op-1.  The Cambridge cybercrime report is discussed at gcn.com/Articles/2012/06/18/Cost-of-cybercrime-Cambridge-study.aspx.  And the difficulties of prosecuting crimes in different jurisdictions are described well by Deb Shinder at http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-to-enforce/.