For around two years now, Information Security Professionals have been saying that cybercrime is on the rise because of the change from ego-centric (i.e. malware that begs for attention) to financial motivation (i.e. malware that accumulates/sends data, silently evading detection). This financial motivation has led to cyber markets/exchanges wherein hackers and their cohorts transact, and in a more recent development, now specialize on a certain aspect of their trade, which in turn has increased efficiency. For example, some specialize on retrieving credit card numbers and other personal information, others specialize on printing the fake cards, while others use the cards, whether they be an ATM (Citibank hack in NYC) or a credit card (Malaysian’s arrested in Australia for fake credit card use). The current worldwide economic environment has only made matters worse.
The question here is, where is the Philippine version of the Cybercrime bill? Around two months ago, it was still on its second reading in Congress. It’s already taken more than eight years, I could be wrong, but I doubt its finally passed.
From what I’ve seen and experienced, I find it hard to believe that barely any cybercrime happens here. There are far too many good Filipino hackers and scammers, for nothing to be happening. Maybe audit logs aren’t turned on, maybe no one regularly checks the logs, maybe when people get scammed, they just let it go (feel free to blame the culture). UK’s BERR and PWC InfoSec Breaches Survey of 2008 states that there are fewer incidents reported in 2008 than 2004, however it may be because they’ve been understated since they found out that “companies that carry out risk assessment are four times as likely to detect identity theft as those that do not.” Which begs the question, do Philippine organizations with confidential information actually undertake risk assessments and take appropriate actions and implement controls to protect their assets? Just because an organization doesn’t have “incidents” doesn’t mean that confidential information doesn’t leak. How does one report an information security incident when one isn’t aware on how to identify it? Secondly, would the company in question have a process in place to accommodate what an employee finds suspicious? Third, would that company then have a process and resources (i.e. competence in IT Forensics) to investigate the report? I’m sure that if it happens to more security conscious countries, it must be happening here, we just aren’t aware of it or it isn’t reported… especially with all the useless WEP encryption found in coffee shops, keyloggers found in internet cafes, surreptitious card reader machines used to read credit card information, to stories of scammers at Philippine online auction sites.
Maybe it will take a high profile hacking on one of our few promising industries that is heavily dependent on IT: one of our BPOs. Or maybe even the hacking of private files of one of our lawmakers (Obama, Palin, and McCain got hacked last year) for there to be any progress on this bill. Whether that happens or not, I find it indefensible to wait for something bad to happen to impel lawmakers to do what’s right, and give the country and its people what there’s obviously a need for.
References:
(InfoSec Philippines) Nov 11, 2008 (note: has links to Philippine Cybercime bill news articles)
(TechRepublic, Sep 2007) Cybercrime tools market maturing, and crimes are on the rise
(Newsweek, Dec 2008) The Rise of Black Market Data
(Univ of Mannheim, Germany, Dec 2008) Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
(Wired, Oct 2008) Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm
(Symantec, Nov 2008) New Symantec Report Reveals Booming Underground Economy
(ihotdesk Outsourcing News, Dec 2007) Cyber crime market threatens data
(ContactCenterWorld.com, Feb 2009) Japanese Cybercrime at Record Levels as Hackers Crack Web sites
(Computer Crime Research Center, Oct 2008) Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High
(CBCNews Canada, Mar 2009) Fraud artists, security experts fight sophisticated battle
(ArticSoft, 2004) How Do You Deal With Internet Fraud
(Credit Cards Web UK, Mar 2009) Card fraud refunds being refused by more banks
InfoSec Philippines 