That was one of the conclusions from a congressional hearing this week called "Hacked Off: Helping Law Enforcement Protect Private Financial Information."
A big problem we are facing in the fight against financial crimes is that the criminal complaint has almost disappeared. Even when a police report is filed, it is often "so the bank will give you your money back. Case closed," said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.
MORE SECURITY NEWS: Despite controversy, federal, state wiretaps on the rise
"The understandable hesitation of law enforcement to 'work a case' in these areas has led to an unfortunate form of apathy by the consumer as well as the financial institutions. Large banks lose millions of dollars each year to phishing and malware, but they reimburse the cost to customers and structure the losses into the cost of doing business. Consumers have been trained that if they experience financial losses they should contact their financial institution rather than the police. If they have had their money returned by their financial institution, there is little incentive to share that information with law enforcement," Warner stated.
These activities make it less likely consumers will ever report their victimization in a way that lets intelligence-driven policing Internet crimes occur. "Without a mechanism to gather basic complaint data into a data mine, it becomes very difficult to understand the scope and nature of the crimes we are facing," Warner testified.
Warner added: "Website owners hosting their small business and personal websites in the United States, have had their servers hacked for use by phishing criminals more than 40,000 times so far in 2011. At the present time, I am unaware of a single situation where the hacker was arrested. Because of the experience of the crime 'going overseas' many law enforcement officers are hesitant to take these cases and local law enforcement officers question whether it is even appropriate for them to be involved in a case that is potentially international."
Warner noted that the Federal Trade Commission (FTC) collects consumer complaints from a large number of sources, including the Internet Crime and Complaint Center, the Better Business Bureau, the U.S. Postal Inspection Service, and many state attorney general's offices.
"But there is still an enormous amount of unreported crime. The most recent FTC Consumer Sentinel Report indicates 1.3 million complaints were received from consumers, however the best estimates indicate that there are now more than 11 million identity theft victims per year in the United States. One of the challenges is how to make sure these additional victims can have the crimes against them documented. If even the minor cases are documented properly, data mining of the complaint data can lead to significant cases being brought by linking the smaller cases together," he stated.
It is often the case that while portions of the crime may go overseas, parties to the conspiracy are located in the United States. Many financial cybercriminals have found it is easier to work with U.S.-based accomplices to remove money from bank accounts. The most common method of doing so is to recruit a "money mule" to receive the stolen funds into an established local bank account.
Money mules often begin as disposable employees who believe they have been selected for a "work at home" job. These jobs are often advertised by spam email messages promising amazing earning potential for hard workers with little or no educational requirements or experience. A popular version at the present time is a "mystery shopper" position. In this position the new employees are told that they will test the customer service and friendliness of various businesses, such as check-cashing businesses, bank tellers and international money transfer services. The mystery shoppers may be asked to open a new bank account and evaluate the friendliness of the bank personnel, or receive a deposit into their personal account and then evaluate the customer service of the employee at Western Union as they send the money to Eastern Europe. Some criminal organizations use several thousand money mules per year in various schemes of this sort. The advertisements promise earnings up to $300 for each assignment.
While money mules of the type above are likely not chargeable, many large rings of money mules continue to operate domestically with the full knowledge of their participants. Without investigating the phishing crime, the opportunity to identify this critical U.S.-based part of the criminal enterprise is lost.
Follow Michael Cooney on Twitter: nwwlayer8
Read more about wide area network in Network World's Wide Area Network section.