Underground bazaars selling payment card data seem to
operate with impunity. The financial services industry, law enforcement
officials, and issuers, seem to relegate the monitoring and discovery of thefts
to private researchers such as Brian Krebs and his krebsonsecurity.com web site. When a
pawn shop openly sells stolen goods, or an arsonist announces a plan to set a
fire, or a mugger attacks a victim in a camera’s view, society reacts and moves
to stop the activity. Law enforcement captures the offenders, prosecutors prove
violation of unambiguous laws, and judges sentence the offenders. Yet the
financial data bazaars operate without fear of justice, and sell their stolen
data without hindrance and feed a blossoming market for thieves.
Perhaps there is room for controlled internet vigilantes. If
any private entity attacks a rogue web site they risk arrest and prosecution
for violation of a number of federal statutes. Law enforcement officials cannot
arrest, victims cannot attack, and countries hosting the sites do not seem to
care. The situation generally is not without precedent. Governments winked at
the activity of privateers or openly gave them license to attack enemy merchants on
the open seas. Perhaps an internet privateer is a concept that works on the
electronic open sea.
Governments can grant licenses to private entities to attack
a web site. If a would-be internet privateer (or a privateer’s sponsor) presents
evidence to a duly constituted court that a web site outside the jurisdiction
or reach of the court causes harm to citizens under the jurisdiction of the
court, then the court can grant an internet privateer license that gives the
holder immunity from prosecution for attacking the specific rouge web site.
There may be various levels of licenses. One level may be for simple denial of
service attacks, while other licenses may allow the tracing of data, while
others allow the deletion of data, and others allow the destruction of
hardware.
If such a privateer license exists then an industry of
attackers may meet the criminal enterprises head-on. The financial services
industry may offer large bounties for privateers willing to permanently (or for
a specific time) eliminate a financial data bazaar. The methods for attack may
become as varied as the original attacks that steal financial data. Privateers will create methods for proving
that they disabled the site and not their competitors. Governments will create specialized courts to
handle the requests and fund them with license fees, ensuring efficient and
timely license grants. Card holders and
retailers at last will not feel that they are the only ones under a cyber siege.
Of course there are lobbies that will not want internet
privateer licenses. Acquirers and others that receive good income from bad
traffic (especially when the card is not present in the fraudulent transactions)
may argue that vigilantism does not work for a society built on observance of
laws, not the wholesale breaking of them for a profit. However, ultimately no
politician will want to side with international mobsters, and with just a bit
of coddling, cyber vigilantism will become as normal as a tweet on a sporting
event.
No comments:
Post a Comment