Anti-fraud coalition lauded as 'useful' in cybercrime fight

The establishment of a one-stop, whistle-blowing center for online fraud and data theft, dubbed the Internet Fraud Alert center, has been lauded as a "useful step" toward tackling the global cybercrime network.

According to Tan Wei Ming, senior manager of government relations for Symantec Asia-Pacific and Japan, the underground economy for stolen data "remain unaffected" despite the economic downturn in 2009.

Citing Symantec's latest Internet Security Report, Tan told ZDNet Asia in an e-mail interview that goods such as credit card information and bank account credentials were featured as "top advertised items" in underground markets.

Spam and phishing attacks targeting financial services remained "relatively constant", and cybercrooks are also adapting their social engineering techniques to better exploit current global events, he said.

Given this backdrop, the creation of the Internet Fraud Alert center by Microsoft and managed by non-profit U.S.-based National Cyber-Forensics and Training Alliance (NCFTA), is a "useful step" toward mitigating online data theft, said Tan.

"For such initiatives, strong international cooperation and response are critical as cybercrime is a global problem that transcends physical and national boundaries," he noted. "Greater public awareness about the risks of data loss can also be engendered through such a collective effort."

Global bond to fight attacks
Launched last month, the Internet Fraud Alert center is a coalition of security organizations and consumer groups such as PayPal, McAfee, American Bankers Association, the U.S. Federal Trade Commission and Anti-Phishing Working Group (APWG), according to an earlier report by ZDNet Asia's sister site, ZDNet UK.

With the new facility, security researchers now have a centralized alert system--developed by Microsoft--they can turn to when they want to report stolen data such as online account login details or credit card numbers. They can also use the platform to notify affected institutions that have been attacked or warn organizations about potential risks so they can duly safeguard their assets.

The coalition is open to new members and organizations expected to join the initiative include retailers, financial institutions and government agencies. Interested parties will be vetted by payment-routing data provider, Accuity, which donated one of its tools to assist NCFTA in vetting institutions, according to the coalition's Web site.

When quizzed further, Freddy Tan, Microsoft Asia-Pacific's chief security officer, told ZDNet Asia that the Internet Fraud Alert program is part of the software vendor's "ongoing investment in technology innovation, industry collaboration and consumer education to help create a safer, more trusted Internet experience for everyone".

"While we don't have a specific percentage target, our ultimate aim is to help protect consumers from the evolving problem of online fraud," Tan said in an e-mail.

He added that while Microsoft has no "specific industry sector or vertical targets" it is hoping will join the coalition, the company encourages its security partners to consider joining the alliance.

One such partner, McAfee, has given its support of the new center. Phyllis Schneck, vice president of threat intelligence at McAfee and chairman of the NCFTA board, said the facility will "help mitigate potential losses due to online fraud and account compromise".

Schneck said in an e-mail interview that the new body is an "extension" of the NCFTA model that had enabled over 150 cybercrime arrests, to date, by bringing together top fraud analysts from both government institutions and the private sector in one organization.

"That said, more needs to be done [particularly in the areas] of fighting cybercriminals and preventing breaches," she said. "We are still losing the war on cybercrime and need to stifle this adversary through partnership and real-time agility."

Prevention is better
Symantec's Tan agreed that more can be done. "The safest, most critical and fundamental step is to prevent the data from being stolen in the first place," he said.

This requires a combination of people, process and technology where user awareness, coupled with the establishment of best practice processes and deployment of data protection software, come together to minimize data loss, he explained.

He added that within an enterprise environment, there are many ways for data to be compromised so it is "critical" to identify, monitor and protect data across a wide network of servers and endpoints.

Tan also called on "all stakeholders" which include governments and enterprises to work together to tackle cybercrime as it is a "problem that affects corporate networks, other critical infrastructure as well as end-user machines".

"As cyberattacks become increasingly sophisticated and black hats are rapidly adapting their techniques to exploit any loopholes and vulnerabilities to steal sensitive and confidential data, initiatives [such as the Internet Fraud Alert center] that can help address these problems will be welcomed, whether on a global or regional level," he said.