United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Extract from memorandum by SecureTrading

INTRODUCTION

  1.  SecureTrading—a wholly-owned subsidiary of UC Group—is a privately owned company registered in the UK which operates a payments business that specialises in the secure processing of Internet payments.

  2.  For any online transaction which results in the transfer of monetary value from one party to another there needs to be a mechanism to transfer that value which is secure, 100% reliable, and trusted by all parties involved, ie consumer, seller, merchant, credit card company, and bank. This requires the combination of excellent security and payments technologies, strong relationships with banking and credit card partners, the ability to operate internationally, and a trusted brand. The prize for achieving this is an income stream that grows not only from the increased numbers of merchants wishing to take payments online, but also from the growth in the numbers of transactions from each merchant, and the ultimate opportunity to process other types of payments on behalf of the parties involved using internet protocols for transmission.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  3.  Credit card transactions using the Internet involve risks not present in face-to-face business because the card holder and the merchant are not normally together when the transaction occurs. Without safeguards in place, the lack of face-to-face communication has the potential to increase the risk of fraud and money laundering in any Internet credit card transaction by comparison to its counterpart in the physical world. Some e-commerce sectors, such as gambling, entertainment and the travel industry raise additional public interest concerns that further enhance the need for making on-line credit card transactions both secure and capable of preventing fraud and other abuses.

  4.  The provision of online payment services underpins the use of the Internet for commerce and creates new channels for entertainment industries. It is a market that is growing rapidly.

  5.  In the past, organised crime groups concentrated their efforts in areas such as drug trafficking, bank robberies and prostitution. The exponential expansion of the internet and weaknesses in personal internet security has led to organised crime turning its attention to Internet users. They employ technical expertise to propagate malicious code (viruses, trojans and worms) designed to steal personal information which can be used to defraud users and to use their identities to make unauthorised financial transactions. Consumers and businesses need to be protected against the increasingly sophisticated means that criminals use to target them.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  6.  The precise scale of losses is not easily quantifiable. Up to now, the banks and credit card companies have accepted liability for these losses; accurate reporting figures for these losses and the consequential losses incurred by victims and the financial institutions are hard to find. According to a recent APACS report, published in April 2006, in 2005 the total losses from online banking fraud reached £23.2 million—an increase of 90% of the previous year's total of £12.2 million. However, this fraud is growing from a very small base, which can make losses appear to grow rapidly: Online banking fraud losses (£23.2 million) are relatively small when compared with plastic card fraud losses (£439.4 million).

  7.  The advent of Chip & PIN has diverted criminals' attention to the Internet and so we expect losses through "card not present fraud" to escalate in line with the growth in online transactions.

  8.  There is no national co-ordination of e-crime reporting and no statistics which are reliable. Consequently, it is impossible to measure accurately relevant data in this area. Again, most consumers who are subjected to losses over the Internet are likely to report the loss to the merchant with whom they are transacting or their bank or credit card company.

How well do users understand the nature of the threat?

  9.  Information of this nature is difficult to accurately portray and we are not aware of any extensive research into whether individual users are specifically aware of phishing, pharming, identity theft and viruses as distinct threats and the respective dangers posed by each. Whilst increasing media attention on the issue of internet crime has certainly raised awareness of these dangers, Get Safe Online research quoted below suggests that a significant number of users are simply conscious of internet usage being synonymous with an increased vulnerability to internet crime and as such have been put off using it altogether.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  10.  This requires a combined effort across a number of fronts:

    —  Perimeter protection is in the hands of ISPs, telcos and network infrastructure providers—such as CISCO. More could be done to clean-up malicious code and to prevent it being propagated down-stream to businesses and users.

    —  Businesses who provide products and services to support Internet users can clearly do more to provide hardware, software and infrastructure improvements to mitigate the threats and risks that are ever-evolving.

    —  Financial institutions could do more to offer better levels of protection to their customers—both business and consumer.

    —  Consumers too must take responsibility for their own protection.

  11.  This all comes at a cost—but arguably, a price which over time, will be less expensive than continuing to accept growing losses and the harm that results from them.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  12.  SecureTrading is a key partner in the Get Safe Online initative, led by Government and supported by industry to raise safety and security for Internet users. The UK's increased use of online services has led to a greater exposure to internet criminals.

  13.  Since the instigation of the Get Safe Online initative, awareness of online crime has increased. In contrast to 2005, research this year shows that 21% of people now feel most at risk from Internet crime; only bank card fraud rates more highly and people are now significantly more afraid of internet crime than "physical" crimes such as burglary, being mugged and car theft (16, 11 and 8% respectively).

  14.  As a consequence of an increased awareness of the dangers of internet crime, the Get Safe Online research found that fear of falling victim to it is preventing some customers from transacting online (24%), shopping online (18%), or in some cases, whilst 17% has been put off using the internet all together, as a result of concerns about online crime.

  15.  Clearly a balance has to be struck between encouraging people to use the internet, while making sure they are aware of the risks in order to protect them.

What factors may prevent private individuals from following appropriate security practices?

  16.  Many Internet consumers may take the view that:

    —  little or no threat exists—that it "can't happen to me";

    —  someone else will pick-up the cost of any fraud that occurs;

    —  they haven't the time, inclination or knowledge to deal with the issues;

    —  it's too difficult to manage computer systems to provide optimum levels of security; and

    —  there is so much information out there, they don't know where to start—so they do not start at all.

  17.  Research from Get Safe Online suggests that, although people have become increasingly aware in the past 12 months about staying safe online, a significant knowledge gap still exists:

    —  72% of respondents said they could use further information about online safety, compared to 78% of respondents last year; and

    —  40% are still uncertain as to where to go for this advice, compared to 48% last year.

  18.  Progress in this field has been mixed:

    —  83% of internet users have virus protection (compared to 80% last year);

    —  78% have a firewall (75% last year);

    —  but, one fifth of respondents hadn't updated their virus protection in the last month; and

    —  23% had opened an e-mail attachment from an unknown source.

  19.  Of greater concern is the fact that many people are also unwittingly increasingly their vulnerability to internet hackers, by not taking sufficient care to create secure passwords:

    —  51% of respondents use the same password for more than one website; and

    —  17% use personal information about themselves in passwords.

  20.  For those respondents who had failed to adopt basic security measures:

    —  14% professed a lack of knowledge about the safety measures necessary to take;

    —  12% expressed concerns about the cost of security systems; and

    —  11% complained of a general lack of time to install them.

  21.  A large majority of the population still believe that it is the responsibility of others to protect individual users when it comes to online safety, although compared to only 15% in 2005, 24% of this year's survey respondents felt they should be primarily responsible for their own online security. However, 41% suggested big online organisations should insure their users against fraud, and nearly one in the ten pitting responsibility for online security at the door of HM Government.

Who should be responsible for ensuring effective protection from current and emerging threats?

  22.  We all have a role to play here—Government, business, vendors in the Internet market and consumers. As stated earlier, a concerted effort is required to ensure that criminality does not succeed in subverting a very rich medium which can bring huge benefits to society.

  23.  This is, by its very nature, a global issue, but it lacks the political support and motivation to take appropriate measures internationally to thwart those who use this new channel as a means to further criminal aims.

What is the standing of UK research in this area?

  24.  Poor. There is no authoritative research or study which details the key issues and which measures threats and risks, alongside the growth of on-line criminality. Neither is there any impartial, independent and authoritative advice which offers businesses and users appropriate help on what steps they can take to mitigate the threats and risks that exist.

GOVERNANCE AND REGULATION

Is the regulatory framework for Internet services adequate?

  25.  Telcos and Tier 1 ISPs currently operate under a charter which provides them with "innocent carrier status". This in essence means that they take no responsibility for the data that flows through their networks. It might be time to examine whether this should change—at least in relation to the prevention of propagation of mailicious code. This is not a suggestion about regulating or interfering with "content".

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  26.  Many standards exist in businesses that provide very adequate information security protection and bodies exist which do nothing other than concentrate on these issues. The Information Security Forum[33] is one such organisation.

  27.  To flow this learning throughout Government, businesses and to consumers requires a co-ordinated effort both nationally and internationally, as well as leadership from Government.

  28.  Indeed it would be extremely advantageous for business to know what the Government expects from UK Directors in relation to foreign laws and policy in this and other international financial processes.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  29.  More resources need to be applied locally, nationally and internationally to cope with the growth in e-crime. Of course, it would help greatly to have accurate reporting statistics and to accurately quantify the financial losses that exist. The National Hi-Tech Crime Unit established in 2001 has now been absorbed within the Serious Organised Crime Agency (SOCA). Its e-crime division is equipped only to tackle level three criminality (national and internationally perpetrated serious organised criminality). This leaves a significant gap in the law enforcement response at a national, regional and local level and does not adequately provide a response to other level three crimes that are not considered by SOCA to warrant attention or resources.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  30.  Mostly it is. However, we need a fast and effective method of ensuring that the legislation is kept up-to-date with the evolving technical modus operandi employed by organised crime and other criminal elements.

20 October 2007

33   www.securityforum.org Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007