CERT
 
Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities
 

Note: This is an historic document. We are no longer maintaining the content, but it may have value for research purposes. Pages linked to from the document may no longer be available.

Internet Fraud

Testimony of Timothy J. Shimeall, Ph.D., CERT® Analysis Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

Before the Pennsylvania House Committee on Commerce and Economic Development, Subcommittee on Economic Development

August 23, 2001

Contents:

Introduction

Mr. Chairman and Members of the House Committees:

My name is Tim Shimeall. I am a senior researcher at the CERT® Analysis Center, which is part of the Software Engineering Institute (SEI) at Carnegie Mellon University. Thank you for the opportunity to testify on the issue of Internet fraud.

The CERT Analysis Center extends the work of the CERT Coordination Center, which was established in 1988, after an Internet "worm" became the first Internet security incident to make headline news, serving as a wake-up call for Internet security. The CERT Analysis Center identifies and predicts threats on the Internet by using technical, political, economic, and social data. (More details can be found in the attachment entitled CERT Analysis Center.) The CERT Analysis Center uses technical data collected by the CERT/CC. Since 1988, the CERT/CC has responded to 63,000 computer security incidents and analyzed 3,700 vulnerabilities. This testimony is based on that broad experience and on the research and analysis under way at the Analysis Center.

back to top

Internet Fraud

The Internet was formed from the ARPAnet, a collection of defense-related computers operating with a high degree of trust in their users. This trust was reflected in the design of the basic protocols of the Internet, which lacked strong authentication either for users or for computers. No one predicted that the Internet would hold economically valuable information, and no one thought to include protections against misuse of information. The result is that today there is widespread fraud on the Internet, both for direct financial gain and for indirect gains, such as theft of service or gains in access privileges. Many of the incidents handled by the CERT/CC involve fraud to one degree or another, either as a goal or as a means.

In a broader context, this is not unusual. The Internet is a frontier. Just as the West of 150 years ago was plagued by its sellers of false mines, snake oil, and various types of "remedies," the Internet of today is plagued by fraud. Many of the reasons are the same—norms of behavior are not yet stable on the Internet, and law enforcement is difficult in the anarchy of the Internet. While new laws and programs may be offer some degree of protection, eliminating this fraud will take a sustained effort over a long period of time.

The term Internet fraud is defined by the US Department of Justice Internet Fraud Center as "any type of fraud scheme that uses one or more components of the Internet—such as chat rooms, e-mail, message boards, or Web sites—to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to other connected with the scheme." (http://www.internetfraud.usdoj.gov/) This definition is consistent with, but not identical to, the definition in 18 PA C.S. Sec. 3933, where this activity is defined as a third-degree felony. This type of activity has affected individuals, corporations, and government agencies. My remarks today are aimed at identifying some of this activity and explaining the role of the Internet in contributing to this environment.

The major types of Internet fraud have been defined as 1) auction and retail schemes, 2) business opportunity or work-at-home schemes, 3) identity theft, 4) investment schemes, 5) credit card schemes, and 6) other schemes. Certainly, individuals have felt the brunt of many of these schemes, but corporations and government agencies have suffered as well.

  1. Auction and retail schemes are the most frequently reported type of Internet fraud, accounting for approximately 64 percent of all reports to the Internet Fraud Complaint Center. While more than 99 percent of the 1.3 million auction transactions occurring each day are legitimate, individuals have been victims of a variety of fraudulent practices. These practices include non-delivery of goods, misrepresentation of the goods' value, using stolen credit cards to purchase items placed for auction, adding hidden charges to the item, selling black market goods, using different aliases to offer multiple bids on an object, and intentional fake bidding by the seller of an item. According to the most recent statistical report, 5 percent of the victims of reported Internet auction fraud were citizens of Pennsylvania. This makes Pennsylvania the 5th most victimized state by this form of fraud (ranking behind California, Texas, New York, and Florida). Corporations are also affected by these fraud schemes, both from loss of payment due to use of stolen credit cards, and sales of counterfeit or copied goods.

  2. Business opportunity or work-at-home schemes use the Internet to offer opportunities to earn thousands of dollars a month to work at home. They collect anywhere from $35 to several hundreds in fees but fail to deliver the materials or information that would make the business viable. Internet email is used to blanket large numbers of individuals. An example of this kind of fraud is offerings of investment in Internet kiosks, which earn money as the public uses the kiosks to access Internet services. Though prime locations may form a viable business, hucksters are luring the unwary into investment schemes that either install no kiosks or place them in locations where the use is too minimal to be viable. Another, particularly pernicious form of fraudulent activity involves use of chain email Ponzi schemes claiming that participants will reap tens of thousands of dollars in only a few weeks. The email includes faked attestations of legality, naming governmental authorities. No valid authority would attest to such schemes, since simple arithmetic will show the fraud in these pyramid schemes. Though these "make money fast" schemes are nothing new on the Internet, they still deceive and defraud many individuals.

  3. Identity theft is an expanding problem on the Internet. Because it is so easy to gather large amounts of information on an individual or organization, it is also easy to successfully imitate a broad class of individuals. The result may be the loss of large amounts of money from bank accounts, fraudulently obtained loans and credit cards, false implication in criminal activity, and damage to the victim's reputation. The aftereffects of this activity may take years to recover from, and many individuals never recover completely.

    For corporations, identity theft has involved unauthorized persons registering Internet domains based on corporate or product identities (cybersquatting) as well as unauthorized persons gaining online identity authentication for corporate identities (false certification). Governmental agencies have also suffered from cybersquatting and from the issuance of fake email announcements by unauthorized individuals. This becomes particularly worrying when governmental identities are stolen or infringed upon to lend a patina of credibility to fraud schemes. An announcement from revenue.state.pa.com might appear credible to many, leading them to believe that it comes from the valid location of revenue.state.pa.us.

  4. Investment schemes include market manipulation and telemarketing schemes. In market manipulation schemes, a stock or security is either fraudulently inflated in value (pump-and-dump) or fraudulently depreciated in value (scalping) to produce returns to the perpetrator. These schemes have had serious effects on a variety of corporations, and similar manipulations may also affect the integrity of municipal and state securities offerings, particularly as these offerings are increasingly automated. Telemarketing schemes may involve the use of the Internet to solicit participation in non-existent investment partnerships or funds, or to solicit investment in non-existent or non-viable corporations. Losses in a single one of these schemes involved 3,000 victims nationwide for a total of nearly $50 million.

  5. Credit-card schemes involve the use of unlawfully obtained credit cards or credit card numbers to order goods and services online. Perpetrators have extracted credit card information from compromised servers, generated fraudulent credit card numbers automatically, and used stolen identities to fraudulently obtain credit cards. The losses here involve losses to the individuals involved, the financial institutions involved, and the providers of goods and services. Banks that offer cash awards for new accounts have also become subject to fraud. One case involved a eighth grade student in Missouri who opened more than 120 accounts under false names and transferred the resulting cash awards (over $2000) to his own real account.

  6. Other schemes include the so-called 419 scam, in which a purported representative of a foreign government seeks information for financial transfers, allegedly for recovery of diverted assets. Although these scams have typically named the Nigerian government, this activity is broadening. It increasingly involves email in preference to physical mail and phone calls. Individuals and corporations have lost thousands of dollars in such schemes.

    Fake scholarship offerings, requiring a filing fee or other up-front costs, have deceived both parents and students into sending either cash or financial-transfer information. Since these fake scholarship schemes are targeted at new college entrants, they may strike families at an especially vulnerable time.

back to top

Internet Trends and Factors Relating to Fraud

Fraud is not new. However, the Internet provides a new environment for perpetrating fraud. Among are Internet trends and related factors are these:

  • Use of the Internet involves indirect communication, in which it is easy to make false or misleading information sound true and appropriate. To appear to be authoritative on the Internet, one may simply write (or print quotes) authoritatively.

  • The Internet is becoming increasingly complex and dynamic, but among those connected to the Internet there is a lack of adequate knowledge about the network and about security. This is particularly true of the younger members of our society. Adolescents may be skilled at using computers, but they often lack the experience and knowledge to protect their personal information and avoid schemes.

  • Currently, there are tens of thousands—perhaps even millions—of systems with weak security connected to the Internet. Attackers are compromising these machines and building attack networks; and they will continue to do so. Attack technology takes advantage of the multitude of naive users and the power of the Internet to exploit its weaknesses and overcome its defenses. While there has been substantial publicity about the use of these attack networks to deny service, similar attack networks have been used to intercept information later used for theft of service or for fraud.

  • Increasingly complex software is being written by programmers who have no training in writing secure code and who are working in organizations that sacrifice the security of their products for speed to market. This complex software is then being deployed in security-critical environments and applications, to the detriment of all users. This can result in lack of protection for personal information that can be used to perpetrate fraud.

  • User demand for new software features instead of safety, coupled with industry response to that demand, has resulted in software that is increasingly open to subversion, computer viruses, data theft, and other malicious acts.

  • The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline. Because managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. This, in turn, may place credit card numbers or personal information at risk, allowing further frauds.

  • The difficulty of criminal investigation of cyber crime and the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikely. Thus, deterrents are weak.

  • The number of directly connected homes, schools, libraries and other venues open to all and without trained security staff is rapidly increasing. These "always-on, rarely-protected" systems allow attackers to continue to add new victims.

back to top

Near-Term Actions to Reduce Risk

In the near term, risk can be reduced through education, public outreach, and increased, systematic attention to Commonwealth computing.

  • Anti-fraud education is needed in elementary and secondary schools. Students should become aware of the types of fraud currently being practiced, along with ways to identify and protect against these types of fraud. The goal is to help students and their parents protect themselves more effectively. This education can build upon many of the current educational modules that emphasize protection of personal information.

    Anti-fraud education may be particularly important for students of "cyber schools." These schools have proven to meet a true educational need, but students (and parents) may be at increased risk for Internet fraud simply because the students spend a great deal of time online and because online discussions are encouraged between students and instructors.

  • Public outreach efforts need continued support. Examples are outreach activities by the Pennsylvania Securities Commission and other public agencies.

  • Standards should be set for Commonwealth computers, networks, and system administration. Qualification standards for computers and networks used to store personal information should include the correction of all known vulnerabilities in the installed configuration and the limiting of network services to those that support required access. CERT/CC has developed a series of practical measures to help protect information services; they are freely available on the CERT web site (www.cert.org/security-improvement).

    Standards should also be set for system and network administrators of Commonwealth networks and computers used to store personal information. The standards should include the knowledge and practices that are sufficient for providing appropriate security. This may increase the cost of administering the computers and networks, but a security breach can be even more costly.

  • Commonwealth policies and public information should be reviewed to assure that the public information available on Commonwealth computers and networks does not enable fraud.

back to top

Recommended Long-Term Actions

There are no quick solutions to the problem of Internet fraud. The complexity of the Internet and the ever-increasing number of Internet users create a real challenge. The government can contribute to the development of solutions in the following ways:

  • Sponsor research and development leading to safer operating systems that are also easier to maintain and manage.

  • Sponsor research into survivable systems that are better able to resist, recognize, and recover from attacks while still providing critical functionality.

  • Sponsor research into better forensic tools and methods to trace and apprehend malicious users without forcing the adoption of privacy-invading monitoring.

  • Provide meaningful infrastructure support for centers of excellence in information security education and research to produce a new generation of experts in the field.

  • Consider changes in government procurement policy to emphasize security and safety rather than simply cost when acquiring information systems, and hold managers accountable for poor security.

back to top

Conclusion

We have discussed for many years the tremendous interconnectedness and interdependency among computer systems on the Internet. As a result, the security of each system on the Internet depends on the security of all other systems on the network. To address Internet fraud in Pennsylvania and other problems on the Internet, we must continue to work together. We must educate all users, take steps to protect information on Commonwealth computers, and invest in long-term solutions that benefit all.

back to top

Copyright 2001 Carnegie Mellon University.

See the conditions for use, disclaimers, and copyright information.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office.

This page was last updated on August 23, 2001.