Friday, January 2, 2015

Needed: Weapons to Attack Payment Card Attackers


Underground bazaars selling payment card data seem to operate with impunity. The financial services industry, law enforcement officials, and issuers, seem to relegate the monitoring and discovery of thefts to private researchers such as Brian Krebs and his krebsonsecurity.com web site. When a pawn shop openly sells stolen goods, or an arsonist announces a plan to set a fire, or a mugger attacks a victim in a camera’s view, society reacts and moves to stop the activity. Law enforcement captures the offenders, prosecutors prove violation of unambiguous laws, and judges sentence the offenders. Yet the financial data bazaars operate without fear of justice, and sell their stolen data without hindrance and feed a blossoming market for thieves.

Perhaps there is room for controlled internet vigilantes. If any private entity attacks a rogue web site they risk arrest and prosecution for violation of a number of federal statutes. Law enforcement officials cannot arrest, victims cannot attack, and countries hosting the sites do not seem to care. The situation generally is not without precedent. Governments winked at the activity of privateers or openly gave them license to attack enemy merchants on the open seas. Perhaps an internet privateer is a concept that works on the electronic open sea.

Governments can grant licenses to private entities to attack a web site. If a would-be internet privateer (or a privateer’s sponsor) presents evidence to a duly constituted court that a web site outside the jurisdiction or reach of the court causes harm to citizens under the jurisdiction of the court, then the court can grant an internet privateer license that gives the holder immunity from prosecution for attacking the specific rouge web site. There may be various levels of licenses. One level may be for simple denial of service attacks, while other licenses may allow the tracing of data, while others allow the deletion of data, and others allow the destruction of hardware.

If such a privateer license exists then an industry of attackers may meet the criminal enterprises head-on. The financial services industry may offer large bounties for privateers willing to permanently (or for a specific time) eliminate a financial data bazaar. The methods for attack may become as varied as the original attacks that steal financial data.  Privateers will create methods for proving that they disabled the site and not their competitors.  Governments will create specialized courts to handle the requests and fund them with license fees, ensuring efficient and timely license grants.  Card holders and retailers at last will not feel that they are the only ones under a cyber siege.

Of course there are lobbies that will not want internet privateer licenses. Acquirers and others that receive good income from bad traffic (especially when the card is not present in the fraudulent transactions) may argue that vigilantism does not work for a society built on observance of laws, not the wholesale breaking of them for a profit. However, ultimately no politician will want to side with international mobsters, and with just a bit of coddling, cyber vigilantism will become as normal as a tweet on a sporting event.

Next Blog: New Fraud Detection Techniques for Needs Based Payment Systems

No comments:

Post a Comment