Cyber-crime is big business. The British Crime Survey asked 44,000 British households whether they had been a victim of crime and found that while about 2 per cent – a million – had suffered a traditional acquisitive crime such as burglary or car theft the previous year, more than double that number had fallen victim to a fraud or scam. Most of these frauds are online or electronic: credit card cloning, phantom withdrawals from ATMs, phishing, dodgy auctions. And while most traditional crimes are falling, fraud is growing briskly. If the social contract between the citizen and the state is obedience in return for protection, then cybercrime is one place that the contract is breaking down.
To get money off this book from The Independent's bookshop, click here.
Technology shifts often leave the police floundering. The arrival of mass car ownership in the 1950s was a good example: a burglar from Birmingham could visit half a dozen houses in Hampstead one night and be back home for breakfast. The Met didn't know of him, and his local force didn't hear of the crime. Fixing that was a long journey involving regional crime squads, national computers, fingerprint databases, and automatic number-plate recognition. And it's still not finished.
Online crime is the same but on steroids: it's the industrialisation of petty crime on a global scale. A bad man may get up in the morning in Odessa and send out a million phishing emails; perhaps half a dozen suckers will enter their bank passwords; their credentials get sold on to a cash-out specialist in St Petersburg. He will transfer money to a Polish mule in London; she sends it by Western Union to small shops in Latvia; and finally the money man's runners collect it.
Most governments have not figured out what to do. The incentives facing police forces are a big part of the problem: they prioritise crimes with local victims, and where losses exceed some threshold. As London is 1 per cent the internet, the Commissioner of the Met will be tempted to say "Why should I bother about this spammer – only 10,000 of his lures arrived in my manor. Hey – 200,000 will have turned up in America – so let the FBI do the heavy lifting."
So most of the world's cybercrime enforcement ends up being done by the FBI, the US secret service, and large US firms like Google and Microsoft. And the amount they do is way less than optimal; so it's generally welcome when people write books to educate the public and policymakers. Misha Glenny's Dark Market tells how cybercrime evolved over the last decade. It's the inside story of a huge change in the mid-2000s, when cyber-criminals got organised.
Ten years ago, computer villains were one-man cottage industries. They built bad websites, harvested credit card numbers, forged cards, bought stuff and sold it. This was just a nuisance. The big change came when criminal entrepreneurs set up black-market websites where crooks could trade with each other. Programmers who wrote malware could sell it to people who would use it to recruit PCs into "botnets" of compromised machines. These "botnet herders" could then rent out their machines to send spam.
Fraudsters could hire experts to design websites to imitate banks, and the infrastructure to support them. Stolen credit cards and banking credentials could be sold on to cashout specialists – money launderers who would organise people to forward money, or to collect it from ATMs. People in the criminal economy started to specialise and get good at their work. Productivity soared, just as in the real economy in the 18th century. Adam Smith's famous pin factory was reprised – in a burgeoning criminal economy that does a different type of PIN.
Dark Market tells the story of how these black-market websites came about, with such exotic names as CarderPlanet, ShadowCrew and DarkMarket. Cyber-crooks compete and cooperate in Ukraine, America, Russia, Turkey, Britain, Canada and elsewhere. They tend to get closed down by the FBI and the US secret service, which collaborate with each other, with other police forces and with the big industry firms through the National Cyber Forensics Training Alliance, a Department of Homeland Security agency in Pittsburgh.
The book's hero is Keith Mularski, an FBI agent who penetrated the DarkMarket website and even become one of its moderators. He collected reams of information about phishing operations, the trade in "skimmers" for copying cards at ATMs, and money-laundering services. This led to a series of arrests from June 2006 that closed down DarkMarket and led to jail sentences for many of its key players. This operation is well-enough known to the information security community; we followed the arrests and trials.
What Glenny adds is the human colour. He has taken the trouble to interview not just Keith and his colleagues but a lot of the bad guys in prisons. These tales of the entrepreneurs of crime must be taken with a pinch of salt, just like the hagiographies of Silicon Valley billionaires (or Victorian robber barons) but they do fill in some gaps in our knowledge.
This book has a major weakness, though. Many of the descriptions of the technology are wrong, some painfully so, and while Glenny uses our jargon, he uses it so badly that it's a constant irritant. He tells us that only a tiny elite understand computer technology "while most of the rest of us understand absolutely zip about it". But with most people in Britain using computers and half a million of us earning our living from IT, that's scarcely true, and in any case a non-fiction writer's job is to understand and explain.
Instead we get clichés and handwaving. A VPN is described as computers sharing the same IP address, while a Turkish crook is described as having spent much of the day fashioning microprocessors for the illegal skimming industry. There are many errors in easily checkable facts: according to Glenny, the US started to classify encryption software as munitions in the 1990s (this fight actually started in the 1970s) while he thinks the Department of Defense has signals intelligence done by DARPA (the NSA does that). He describes phishing as "from an early stage, critical to all manner of cybercrime" when it only took off at scale in 2005. He assures us that dating sites are "home to some of the most sustained and intense mendacity in history": published research finds that people exaggerate only slightly on dating sites (women about their age, and men about their height – by less than one inch on average). Indeed, he really doesn't seem to like online stuff at all: he assures us that the culture of the Internet is "the valley of lies".
So a geek who picks up this book will likely put it down again in disgust after a dozen pages. Experts who persist may learn much, but the errors and exaggerations leave a question mark over its dependability. The publishers were negligent in not having it proofread by a technically literate editor. The same can be said of government cybercrime policies, but that's no excuse.
Given the interest of the material, and its public importance, they might consider a second edition in which this shortcoming is rectified. Had Glenny simply put his material online on a blog, one interview at a time, people would have put him right soon enough.
Ross Anderson is professor of security engineering at Cambridge UniversityReuse content