December 02, 2003

Federal authorities and investment firms are getting serious about Internet-related fraud. Recently, Operation Cyber Sweep, which included 34 U.S. attorneys, the FBI, and various federal, state, local, and foreign law-enforcement agencies, targeted cyberfraudsters and netted 125 arrests and more than 70 indictments.

The operation targeted some of the most common online fraud schemes: identity theft, international money laundering, theft of business trade secrets, auction fraud, Web-site spoofing, and cyberextortion. These schemes involved more than 125,000 victims with losses estimated to exceed $100 million.

In one case, a Pennsylvania man allegedly used a Trojan horse to capture the password of an investor's online account, a stark example of the security scams that investment firms face.

Nineteen-year-old Van Dinh faces criminal and civil securities-fraud charges after he was accused of tapping into a TD Waterhouse account held by a 34-year-old Boston man. Securities and Exchange Commission officials allege the accused used an online stock-discussion forum and encouraged people to download software, which included a Trojan horse. Trojan horses let hackers take over a computer without the user's knowledge.

This is the first case in which a hacker has been accused by the SEC of using another person's account to place trades. The case heightens the growing concern about online commerce. The SEC is so concerned about security and identity theft that it's undertaking a review of procedures and policies that companies have in place, says John Walsh, associate director and chief counsel at the SEC.

The SEC tries to identify best practices and find out which firms are leading and which are lagging, Walsh says. It's also looking to see if an industry standard can provide a benchmark to measure companies' security initiatives.

It's not just the SEC that has its eyes on security. The Federal Trade Commission is examining businesses' representations about how they keep information secure, says Michael Overly, a lawyer at Foley & Lardner, which specializes in financial-services technology and the law.

The FTC recently issued a $12,000-a-day sanction against a retailer, even though there was no breach of information. Instead, the FTC found the retailer's security system didn't live up to its billing and the representations made to customers about protections. That, Overly says, should concern financial institutions, which often tout how secure their systems are.

Regulators' interest in security is just more pressure on IT managers. In the past year, there's been a heavier focus on identity theft, Trojan horses, Web spoofing, and worms. The main change in security is the frequency of attacks, says Robert Garigue, chief information security officer at Bank of Montreal. In the past, he says, there would be one or two security events a year. "You used to fight one battle at a time. Now, the tempo has increased."

For fending off viruses, companies continue to depend on patch management. "Vulnerability management is a large challenge for us," says Lee Ann Summers, head of risk management at financial-services firm ABN Amro. "The problem with the current state of patch management is that it's reactive. When you react all the time, it's hard to maintain a strategic focus."

The bottom line, Summers says, is that companies must react faster and be smarter. "You have to tackle security from a bunch of different fronts and get management support. You need to be creative and use the tools to figure out how to get the best bang for your dollar."

Article originally appeared in InformationWeek, Dec. 1, 2003.