When Cybercrime Isn't Treated as a CrimeWhy Not Report Credit-Card Account Theft to Local Cops?
Cyber is part of our everyday lives. Still, in many cases, a natural - or perhaps a unnatural - divide exists between the virtual and physical worlds. This is especially true in the way we deal with crime.
The stark difference on how we treat online crimes differently than those in the real world came up in a conversations I had the other day with Derek O'Halloran, head of IT industries for the not-for-profit World Economic Forum, which earlier this year issued a document entitled Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World.
Can you imagine walking into your local police station and saying, 'I want to report the fact that money has been stolen from my credit card.' They'll probably look at you as if you had two heads.
As part of its Partnering for Cyber Resilience initiative, the World Economic Forum is interviewing leaders in business, government and the media to get their take on how organizations can partner to battle cyberthreats, including online crime. One of the interviews focused on information sharing and forensics when an interviewee raised the following point to O'Halloran:
"Look, if I get my bicycle stolen or my car stolen or my house broken into, what do I do? I call the police. I get an incident number, and use that to file a claim with my insurance company. And the police are able to aggregate that crime information and sometimes can spot patterns and act on this.
"But if you get money stolen from your credit card and bank accounts, none of us would ever think about calling the police. We would call the bank. We call the credit card company, and they'll fix it for us. But none of that information ever gets through to the criminal justice. Or if it does, it's because there'll be some special provisions between the company and the criminal justice units of whatever jurisdiction they're in. By that stage, it's probably far too late for investigative use."
Who to Call?
One of my relatives not too long ago had a credit card stolen from her purse. Within a half hour, if that long, the thief bought a tank-load of gasoline at a service station just across the state line and then purchased some merchandise online from a national retailer using the stolen credit card account number. In such crimes, who should we have called? The local police where the wallet was snatched? Municipal law enforcement authorities in the town where the fuel was purchased? The police in the city where the national retailer is headquartered?
We called the card issuer, which immediately voided the illicit charges. It never occurred to us to report the theft to law enforcers. If it had crossed our minds, we'd have assumed the credit card company would alert the proper authorities.
"Who would you call?" O'Halloran asked. "Even if you did, can you imagine walking into your local police station and saying, 'I want to report the fact that money has been stolen from my credit card.' They'll probably look at you as if you had two heads."
O'Halloran said a two-fold pilot program underway in a Swiss canton involves training police to handle cybercrimes and making the public aware of how to report cybercrimes.
Major cybercrimes such as breaches to IT systems hosted by major corporations often, but not always, get reported to authorities because of the significant amount of money that's at stake. But these "petty" cybercrimes against individuals by comparison are loose change, yet do add up to substantial sums when aggregated.
What's needed, O'Halloran said, is a way for governments, businesses and law enforcement agencies from around the world to collaborate to develop common reporting standards to fight cybercrime. That's a goal of the World Economic Forum's Partnering for Cyber Resilience initiative worth pursuing.