By Alex Salkever On Nov. 20 the FBI announced a massive Internet crime bust. Dubbed Operation Cyber Sweep, the investigation netted 125 arrests and indictments over the course of seven weeks. The FBI says those arrested, indicted, and convicted are responsible for $100 million worth of crimes affecting 125,000 Americans and dozens of businesses. The busted ranged from crackpots to the purely craven, including a disgruntled baseball fan who allegedly hacked into the computers of the Philadelphia Phillies and a credit-card scamster charged with using bogus card numbers and bad checks to beat online electronics store Outpost.com out of $80,000 worth of merchandise.
In Operation Cyber Sweep, which is still ongoing, the FBI coordinated actions with dozens of law-enforcement agencies at the federal, state, and local level. Top FBI officials emphasized that the operation shows how high a priority cybercrime is for bureau investigators, and clearly, the busts bumped the battle up several notches.
"Online criminals assume that they can conduct their schemes with impunity," said Attorney General John Ashcroft at a Nov. 20 press conference. "Operation Cyber Sweep is proving them wrong, by piercing the criminals' cloak of anonymity and prosecuting them to the fullest extent of the law."
FOLLOWING THE DOUGH. The FBI and its cohorts are to be lauded for the inroads they seem to be making in attacking cybercrime. But let's keep this in perspective. The folks who've been nabbed are mainly small-time confidence artists or at the most mid-level scamsters. The busted are the ones who could barely cover their tracks. And they resided in the U.S. -- easy pickings as compared to, say, Indonesia, where the FBI would find it slightly more difficult to collar international cyberthieves.
Criminals rob banks because that's where the money is. Likewise, in cyberspace expect the most ingenious criminals to follow the dough. That hardly means penny-ante operations that pick off a handful of credit-card and bank-account numbers.
Rather, the big money is in the big databases. Credit-card companies, banks, and credit-reporting agencies all store most of the files they keep on hundreds of millions of people in these big data warehouses, which are far more heavily guarded than someone's password at an e-commerce site. Major corporations understand that these big databases are an enormous liability and deserve serious security firepower.
DANGEROUS MIGRATION. Inevitably, however, more and more of these supersensitive storehouses will suffer breaches. That's simply the law of large numbers as more and more people come online with broadband connections and more evil brains begin to comprehend the motherlode these data centers hold. A skilled malicious hacker could leverage a breach with other software to harvest personal IDs and export them en masse to any location around the globe. With that info they could apply for a million credit cards in a day or drain $5 out of millions of bank accounts -- enough to get rich but not enough to raise an immediate alarm.
And a number of these big guys have already been hacked or suffered serious breaches ranging from unauthorized use of external access to their databases to suspicious break-ins that likely released hundreds of thousands of sensitive files into the cyber underground. Rarely are these databases connected directly to the public Internet, but then again supposedly neither were the ATM machines that failed under the barrage of bogus traffic when the Slammer worm struck in the summer of 2003.
What's more, many of these databases are rapidly moving offshore and, therefore, outside the easy reach of U.S. law enforcement. Two of the three big credit-reporting agencies say they intend to move significant portions of their operations overseas, according to a Nov. 7 article in the San Francisco Chronicle by investigative reporter David Lazarus. Many banks and credit-card companies did this a long time ago, meaning that Ma and Pa Kettle's credit report is as likely to be retrieved from Bombay as from Boston.
E-MAIL ALERTS. The upshot? While the FBI's Operation Cyber Sweep is necessary and should continue, it's only the first step -- knocking down the low-hanging fruit -- on a long path to better Internet data security. Another key step would be starting to build strong coalitions with law-enforcement agencies in the countries where these frauds will most likely take place. A series of high-profile busts overseas would carry more weight than anything that was done just stateside.
Equally key is to give consumers the tools they need to detect anything fishy in their accounts. Some financial institutions already offer capabilities such as e-mail notification of any suspicious credit-card activity. That's good and should be expanded.
Two of the three credit-reporting agencies offer an annual paid service that sends customers an e-mail anytime their credit history changes or is accessed. But the agencies claim they can't force any banks or other financial institutions to call individuals whose records have been pulled even if they have a fraud-alert warning on their credit file. And the cost of paying for both services separately is over $100 annually. The third credit-reporting agency continues to keep consumers in the dark when it comes to e-mail notification.
FAIR FIGHT. California has taken the more radical but equally welcome step of mandating that companies and organizations that get hacked notify potential victims as quickly as possible. That's unlikely to become a federal law anytime soon, and that's too bad. The public is the best defense against online fraud.
Yes, keep busting the bad guys both here and abroad. But the government really needs to give people what they need to fight this scourge: more information. A good start would be a unified system that would notify consumers whenever their credit file has been accessed at any of the big credit-reporting agencies. That could be run by the government or by a third-party nonprofit created for the task. The notifications could travel via e-mail or snail mail, depending on personal preferences.
While banks and credit-card companies have gone a long way toward correcting past problems with notifying and protecting customers, a California-style law with teeth is necessary on a national level. That would mean banks and other financial institutions would face the very real risk of civil penalties if they don't notify affected customers in a timely fashion.
AVERTING CATASTROPHE. At the very least, everyone should have the right to know that they may be at risk for the rest of their lives. This is particularly important as more fraudsters are now staggering their use of purloined information over months and even years to attract too much attention.
These steps won't address all Internet crime sectors. "Phishing," where online scam artists dupe people via clever e-mail into coughing up account and personal information can't be directly stopped by either measure. What they will do, however, is prevent an inconvenient breach from turning into a major catastrophe for Web surfers and the companies that sell to them.
With the right information in hand, consumers can look after their own best interests and serve as a far more potent mechanism than Operation Cyber Sweep to keep online fraud in check. Salkever is Technology editor for BusinessWeek Online. Follow his Nothing But Net column every week on BusinessWeek Online