Online anonymity is a complicated topic. There’s no doubt that the elasticity it gives our identities is a massive benefit. We can explore different sides of our personality without affecting the reputation of any other part of us. Unfortunately, that’s also proven to bring out the worst in some of us, with people committing acts online that they would never do in person.
Cyber bullying and mob justice are the most commonly cited examples of this, but as Michael Tiffany, co-founder and president of cyber security software company White Ops, recently discussed, the same concerns allow cyber crime to thrive.
Tiffany frames his discussion around Max Ray Vision, a cyber criminal who stole nearly 2 million credit card numbers under the name ‘Iceman’. Tiffany argues that a large part of Vision’s success came down to his use of a pseudonym. It might seem like common sense in retrospect, because almost all cyber crooks these days appear to have an outlandish assumed name, but using a pseudonym meant Vision was able to create a discrete online identity that had a reputation of its own.
“Part of what made Max Vision’s cybercrime spree so groundbreaking was his drive for personal esteem and recognition – even though he could never reveal his own identity. As ‘Iceman,’ Vision worked to undercut rivals not just to steal their business, but to establish himself as a ‘Kingpin’ of online crime,” said Tiffany.
Vision’s ‘Iceman’ took credit for attacks, and “demonstrated to other criminals that having a reputation for being a talent at cybercrime could be an asset to your career, rather than a liability. […] The dark web, cryptocurrency, and pseudonymous reputation have evolved to create a bustling underground marketplace where any talent you might need for a scam is easy to find”.
A no-risk venture
The police have historically relied on primitive methods for catching cyber criminals. The dark web and assumed names are all but impenetrable, meaning crooks can operate with almost total impunity.
Even if they are caught, it’s very difficult to bring a case to trial, and the few crooks who do end up being sentenced often receive sentences that are much more lenient than criminals who commit similar damage in the ‘real’ world – even though criminal hackers’ actions have equally real-world consequences.
Police closing in
Tiffany suggests that life has got much harder for cyber criminals since Vision was sentenced to 13 years’ imprisonment in 2010. Police forces have got much better at tracking and apprehending cyber criminals, in part because of significant improvements in software and the increased communication between organisations such as Interpol, the FBI and the Internet Crime Complaint Center.
However, the number of cyber criminals has also skyrocketed in that time, and many experts are still frustrated by the leniency that courts show cyber crooks. That might change soon, as the world wakes up to the damage that cyber crime is causing. Organisations have faced tough new requirements in the form of the EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Directive. This should lead to cyber criminals being met with equally tough sanctions.
Although organisations clearly welcome tougher penalties for those who breach their systems, they would obviously prefer not to be attacked at all. Cyber security is their responsibility, so they need to ensure they have appropriate measures in place.
One of those measures should be regular penetration tests. This involves a professional tester, working on behalf of an organisation, looking for network and application vulnerabilities in the same way a criminal hacker would.
Identifying and addressing vulnerabilities, ideally before releasing the product being tested, means organisations can avoid having to patch software and, more importantly, prevent a cyber criminal from discovering the vulnerability.
IT Governance is a CREST-accredited provider of penetration tests. We offer a range of services to help organisations of all sizes manage their cyber security strategies.