The e-crime epidemic

The banks also have alarming figures for payment fraud and, according to APACS, in the first half of 2007 web transactions accounted for 75% of the loss from Card Not Present crimes – a figure that’s growing at 50% a year.

Tip of the iceberg

According to a report from the security software company Garlik, however, these official crime statistics are regarded as the “tip of the iceberg”. The situation is made worse by the fact that, in a bizarre case of passing the buck to the private sector, Home Office regulations introduced in April 2007 changed the way credit card thefts and much internet fraud is reported. Move over PC, bring on PLC. Rather than reporting this crime to the police for investigation, victims are now told to talk to their bank.

“You report much e-fraud to the bank, not the police, so the banks have initial information on a particular crime and they can package it up and make it easier for the police to investigate,” says Mark Bowerman, spokesperson for APACS. “If a crime is linked and all the different jurisdictions are reporting independently to different stations, there’s no way of knowing they’re investigating the same crime, but the bank can make an initial report into what’s happened.”

The problem is that the banks aren’t obliged to pass on the crime reports to the police, and many people think it’s madness to hand control to institutions with a vested interest. “The decision on whether to pursue and investigate is made by the banks,” admits Bowerman. “But it’s never been the case that every instance of fraud or any crime has been investigated.”

Critics of the scheme believe this is yet another argument for establishing a central reporting panel for e-crime, because there are real concerns that the banks massage the figures. The Metropolitan Police recently told the House of Lords Science and Technology Committee it believes 20-30 attempts are made to hack information from organisations and financial institutions each day, but that the figure was a gross underestimate because “the banks don’t want to lose consumer confidence, or because financial institutions don’t have faith in the police to be able to tackle these issues.”

Even if banks are telling the truth, consumer confidence in the figures could still be eroded. “Banks aren’t the best place for collecting data,” claims Graham Cluley of security firm Sophos. “We see a similar problem with viruses and hacks – the police just don’t want to know and they tell people to speak to the antivirus companies.

“That puts us in a position of needing to collect data to assess the scale of the problem, but we have a vested interest in saying the problem is big – and, in this case, the banks have an interest in telling us the problem is small. It’s like asking the padlock industry to collate details on bicycle theft – it isn’t realistic.”

Apart from the potential damage to their reputation, the banks have another good reason for simply paying the price of criminality and passing on the costs in bank charges – it’s cheaper than solving crime. “From a bank’s point of view, they’re already incurring significant costs because they’re going to have to recompense you anyway,” says Peter Sommer, computer crime expert at the London School of Economics. “Getting the police involved only makes it more expensive for them, as they need to do all the paperwork and police liaison.”

The banks may be happy to accept crime as par for the course, but the real victims of the crime are most certainly not. “It’s important to have a central area for co-ordinating these issues, because at the moment there’s nowhere to report e-crime,” says Neil Stinchcombe, who has set up a petition on the Downing Street website calling for change. “No-one has a clue where they should be reporting crime or what action will be taken, so no-one actually knows how big the problem is. E-crime is evolving faster than the technology and tools we have to protect us from it, because the criminals have access to better tools and resources than the police.”