Source: ISN
Social networks, smart phones and greater reliance on credit cards are making South Africa increasingly vulnerable to cybercrimes. Yet despite government-led initiatives to improve cyber-security, more information is needed to craft effective ways to combat cybercrime, argues the ISS’s Charles Goredema.
By Charles Goredema for Institute for Security Studies (ISS)
Nearly a year ago, a specialist in software risk management and data storage, Marthinus Engelbrecht, warned that while statistics on violent crimes in South Africa hit the headlines every day because of their severity, cyber crimes were much more common and had a much bigger impact. (The New Age, 14.09.2011) Crime analysts and commentators have regularly warned about the insidious nature of cyber crime, and, occasionally predicted an upswing in its occurrence. The build up to the World Cup soccer tournament in 2010, for example, provided a platform for estimates of scale, some of which appeared exaggerated. There are in fact no statistics to reflect what was eventually experienced. However, numerous factors indicate that the risk of South African falling victim to cyber crime has grown immensely.
There is general consensus that cyber crime is any crime that is committed by means of a computer device which is linked to other computers through the Internet. At the same time, there is much uncertainty about the full range of such crimes and how they affect our daily lives. In a typical cyber crime situation, the computer may be used either as an instrument by which to initiate the crime, or as the target of the crime, as stated by the Council for Scientific and Industrial Researchers’ Joey Jansen van Vuuren and Marthie Grobler in a study done in 2009. The scope of activities which could fall within the definition of cyber crime is potentially quite broad, ranging from purely malicious or intimidatory invasions of privacy, to the theft and abuse of personal identity particulars and the fraudulent manipulation of electronic data to commit theft. At the level of state security, instances of data destruction through electronically transmitted malicious software have been reported. A common thread connecting these activities is the intrusive abuse of computers.
The primary source of risk is the increase in the number of people sharing information through internet facilitated social networking and the phenomenal growth in the use of computer devices in the form of smart mobile phones. Since 2010, the number of users has grown, partly in direct proportion to the increase in the number of social websites such as Facebook and LinkedIn, as well as the Blackberry messenger service, and partly as a result of greater access to smart phones. Figures released in February 2012 showed that global sales of mobile phones had escalated from 1,391 billion in 2010 to 1,546 billion by the end of 2011 (International Data Corporation, February 2012). By that stage there were 5,9 billion mobile phone service subscribers. South Africa, which boasts 4 mobile phone service providers, has around 42, 3 million subscribers. Current figures show that at least 65% of South African households have access to a cellular telephone on contract, compared to only 20% access to a home-based landline. The highest concentration is in Gauteng, with 48% of adults having access. Other provinces fall within the range of 43% for the Western Cape, and the lowest penetration of 24% in the Eastern Cape, according to forensics expert Craig du Plooy.
The nature of the information transmitted through smart phones appears to be entirely up to the user. There is a high probability that users are not aware of the potential criminal uses of some of the personal information transmitted. Contact addresses and status updates, if intercepted, can be as strategically important to a fraudster as information solicited by, and provided to websites of unverified integrity. Information-stealing malicious software (malware) has become quite common, but is not generally known to smart phone users.
Ironically, improvements in the speed of accessing the Internet have escalated the cyber crime risk. With the increase in broadband access, greater opportunities for cyber fraud arise. Faster access encourages more use of the internet, but also increases the chances for data interception. The SEACOM cable operator has reportedly increased bandwidth internationally by ten times since its trans-continental network came onto operation mid way through 2009.
Risk also arises from the use of unprotected computer devices. An unprotected computer which is connected to the Internet is a weak link that exposes the entire system to worm-borne attacks. Unprotected computers in the hands of users with inadequate or no training unwittingly raises the risk of cyber attacks on an unlimited range of other connected computers. It is a risk pertaining not just to smart phones, but also to computers donated to charities or to schools.
The use of data storage cards, such as credit and debit cards is being encouraged in many economies striving to move away from cash dominated transactions. It is perhaps most common in Africa’s tourist hubs. Over the years, cyber criminals have targeted data storage cards as media from which to ‘harvest’ financial account information. Card cloning is proving to be a resilient form of criminality in South Africa. The statistics on distribution are however scanty. Anecdotes from reported crimes do however show a strong representation of the hospitality sector, especially restaurants in the Western Cape, among the targeted establishments. Analyses by institutions such as the South African Banking Risk Information Centre (SABRIC) highlight the concentric structure of crime networks implicated in card cloning. On the fringes are relatively lowly paid casual workers, mostly serving as waiters or waitresses, recruited by knowledgeable runners who instruct them to collect data from credit and debit cards using portable scanners. The collected data is subsequently transferred to cloned cards for use in commercial transactions or for fund withdrawals. Data capture from compromised auto teller machines is not as common as that which is manually assisted, but it remains an area of exposure.
Knowledge is vital in pre-empting and minimising cyber crime. In 2010, the South African government declared cyber-security to be a national security priority. The declaration reinforced the official resolve underlying the three main applicable statutes, namely the Interception and Monitoring Prohibition Act (1992), the Prevention of Organised Crime Act (1998) and the Electronic Communications and Transactions Act (2002). The legislation is broad enough to penalise unlawful interception and monitoring of e-mail and text messages. While the law might be in place, the reality is that its effectiveness depends on its intended beneficiaries being aware of how to use it and when.
At this point, awareness of risks and how to mitigate them does not appear to be spreading as quickly as the escalation in the use of cyber-technology. It is largely confined to governments, and the senior levels of larger users of e-technology, such as the financial industry. In 2006 the African Information Security Association (AISA) was established to promote knowledge and create awareness about computer security and cyber crime. The United Nations African Institute for the Prevention of Crime and Treatment of Offenders (UNAFRI) launched the African Centre for Cyber Law and Cybercrime Prevention (ACCP) in Kampala, Uganda in August 2010 in response to mobile phone banking. The ACCP set itself the ambitious task of monitoring cyberspace abuses and the incidence of cyber crime in Africa.
More information is required on forms and trends of cyber crime. This might stimulate an improvement in cyber-crime reports, which will enable better databases to be compiled. Enhanced databases can support more pro-active investigation, as well as the identification of crime networks. Given the rapid proliferation of smart phones, it is suggested that all users should be informed of the main risks and realities. Simultaneously, service providers should be required to appropriately secure all devices they distribute.