e-Security awareness cuts both ways. If policy makers take the digital economy seriously, then they need to be aware of the limitations of relying on user education alone to protect the people against cyber crime.
National e-Security Awareness Week is terrific. You gotta have awareness of safe Internet behaviours – it’s just like road safety. But awareness is not enough. Here I will argue that user education has reached its limit and that we need the same sort of balanced approach to e-security as we have in road safety.
Frankly, organised cyber crime has got to the point where user education is simply powerless. The Internet has given criminals x-ray vision into peoples’ banking details, and perfect digital disguises with which to defraud businesses and governments. Identity theft is perpetrated by sophisticated organised crime gangs, behind the backs of the best trained and best behaved online shoppers, aided and abetted by insiders corrupted by enormous rewards.
We must move beyond e-security education and awareness, to include standards, technology, and where necessary, regulation. Government should lead by example. It should deploy state-of-the-art digital identity technologies to safeguard its citizens when rolling out coming generations of online services, such as health identifiers, shared electronic health records, e-voting and so on.
e-Security is poorly served by the preoccupation with user education. Numerous governments and industry groups have developed extensive security advice; see e.g. www.protectfinancialid.org.au and www.staysmartonline.gov.au. It’s all very sensible (if a little overwhelming for average users). Yes we should pick hard-to-guess passwords and change them frequently; yes we must have personal firewalls, fully patched operating systems, and up-to-date anti-virus software; and yes of course we must be alert to phishing and never click on strange links.
But none of this advice protects us anymore against ID theft. The most recent cyber criminal attacks – at Heartland Payments Systems, TJMaxx and the like – have seen personal details of millions of consumers taken over in massive raids on merchant databases. These organised attacks go on behind the scenes, out of sight of even the most careful online customers. They steal the details of department store shoppers, so you might have never shopped online and still have your credit card stolen.
Stolen identity data is traded on a thriving black market, and is used in a range of criminal enterprises. The most overt identity crime is Card Not Present (CNP) payment fraud, where stolen credit card numbers and account details are replayed against unsuspecting e-merchants. Credit card fraud increasingly finances terrorists, see here. CNP fraud in Australia is the single biggest and fastest growing form of fraud; in 2009 it cost $71M, accounting for a half of all card fraud (see www.apca.com.au). The European Commission’s Fraud Prevention Expert Group (FPEG) has reported that ID fraud has reached the point that it “undermines the general confidence in payments systems”.
As a community, we accept that road safety rests evenly on enforceable road rules, legislated standards, quality automotive products, sophisticated traffic systems, and driver training and licensing. Education alone would be worthless.
I wonder why we’re so reluctant to intervene in e-safety? We happily mandate pool fences, bike helmets, seat belts, elevator maintenance, water chlorination, restaurant hygiene; in NSW, we even quarantine our kids if they’ve gone to a rugby league match in Melbourne. But despite the professed importance of the digital economy, we still treat cyber space like the Wild West: it’s every one for themselves!
It is high time that we took a balanced approach to safety on the Internet, as befits any other critical infrastructure.
To really curtail cyber crime, we need proper technological preventative measures, not more awareness campaigns, policies and audits. Stolen personal data should be rendered useless to thieves, to remove the profit motive for organised ID theft and to neutralise the ID black market.
The tools are at hand. The banking industry has recently initiated a massive worldwide shift to improved card technology, replacing magnetic stripes with chips that cannot be readily skimmed. In other parts of the world, smartcard technology is already commonplace in government ID and entitlements; for instance, France, Germany, Austria, Italy, Thailand and Taiwan all use smart health cards, to better manage public health insurance, e-health and patient privacy.
Smartcards and like technologies could now be leveraged for e-security. Just as they protect customer details against skimming, smartcards can protect digital identities from online theft. For instance, a smartcard can tell if its user is connecting to a real site or a phishing site. And it can encrypt one’s digital identity so that it remains private between you and a merchant, and cannot be replayed later in another illicit transaction. The public’s aversion to smartcards owes largely to previous crude government-centric proposals; a more favourable response is likely if future smartcards are designed to be user-oriented, opt-in and decentralised, and if they preserve our diverse private relationships with different service providers.
So in this National e-Security Awareness Week, I implore policy makers and legislators to be aware of this: No amount of education, security policy or compliance audit can overcome the profit motives of organised crime today. If the digital economy is as critical as we all say it is, then citizens participating in it deserve a proper national e-security system.
Stephen Wilson is Managing Director of the Lockstep Group. Lockstep Consulting provides independent advice and analysis on identity management, PKI and smartcards. Lockstep Technologies develops unique new smart technologies to address transaction privacy and web fraud.
Stephen Wilson is a guest blogger of our "e-Secuity & Small Business" forum which is part of the National e-Security Awareness Week, an annual initiative aiming to raise awareness about the importance of e-security among Australians.
To learn more, visit http://www.staysmartonline.gov.au/ today.
To find out about how to protect your business and your customers and stay safe when working from home, go to http://www.staysmartonline.gov.au/small-business-security, or sign up for the following free services: