Every few months there is a massive credit card breach, and nobody ever goes to jail for it. If someone robbed a bank and stole millions of dollars, they would either be dragged out by the FBI, or shot right there if they threatened police. If someone hacks a database and racks up millions of dollars in charges on other people’s cards, they might get arrested a few months later. Even if they do get convicted, they might only get a year or two in prison.
It’s not so much that it’s not treated seriously, it’s just that it’s really fucking hard to treat at all.
There will always be some numbnuts who’ll have read a how-to guide to ID theft somewhere on the web and done it without understanding any computer stuff about it, and those’ll be caught in three days tops.
But if you know what you’re doing, and if you’re well read on the architecture of the modern web and the way it deals with intrusions and the like, it’s just not really doable to catch you. E.g. Any identified attack will come from the book search server of a public library in Severomorsk that somebody (not you) zombified three years ago.
It’s the Internet version of “body found in an alley in West Baltimore, 4 bullets in him, no witnesses, no ballistics matches” - sure, you probably know what the guy got killed over (spoiler: it’s drugs), you might even have a notion of which group of people did it and why. But proving it ? And finding exactly who ? Yeah, good luck with that.
ETA : oh, and even IF you find out exactly who, it’s easy for them to plead down, since any evidence will point that the attack came from his computer. As opposed to him. Meaning the suspect only needs to say “Oh yeah, at that time I’d left it unattended in the Comp.Sci. room of my college, is that bad ?” to get a heap of reasonable doubt coming their way.
Oh, forgot to mention : there’s also the whole jurisdiction & legal systems kerfluffle. A local guy robs a bank in Chicago - fine, let the Illinois police and justice system deal with his ass. What do you do with a Russian guy who busted an American bank from a cybercafe in Taiwan ?
And how do you propose catching him in the first place in the event Taiwan doesn’t really give a fuck (which, y’know, why should it ?) ?
I’m not sure the issue is so much figuring out who the perpetrators are but that they’re largely operating out of places like Russia (in most cases it seems, literally Russia) that turn a blind eye toward that sort of thing as long as its mainly targeted at people in other countries.
So long as the criminals stay out of Western countries or their allies, they’re usually safe. Though they don’t always follow this advice, the Secret Service managed to lure a Vietnamese identity thief to Guam a year or so ago, and more recently a major Russian credit card theif was arrested while vacationing in Italy.
Or China:
http://www.reuters.com/article/2014/05/20/us-cybercrime-usa-china-unit-idUSBREA4J08M20140520
But I wish the US government did try harder. Often a follow-the-money approach can succeed where trying to trace IP addresses fails. Even Swiss banks and Bitcoin exchanges have complied with subpoenas under the US’s anti-money laundering laws.
In addition to the above, I think the aggregate amounts of actual damage are low relative to the amount of commerce we engage in. Yes, Home Depot had a breach, but that doesn’t mean those stolen passwords, etc. translate to billions of actual dollars being stolen. And even if you could catch these guys likely operating in another country, are you really better off locking him away in prison for decades at a cost of tens of thousands of dollars a year?
TPTB have looked a the numbers and decided it’s a cost of doing business at this point. Frankly, they are probably right. The time and money spend minimizing the problem would waste time, cost lots more money, and create friction. When and if such crime does become worth tackling, I think companies will do so.
For reasons noted earlier in the thread, it’s difficult to pick up the trail and catch the perpetrators.
The situation may improve as tech companies find it necessary to improve security (e.g. Apple and Google rolling out stronger smartphone encryption).
I see what you mean. Sometimes you can get away with things in cyberspace that you can’t get away with in real life. For instance, you can get arrested for following strangers in the real world, but you can follow complete strangers on twitter and it’s perfectly fine! (Badah-bah-dum!) 
Do you have a cite or two demonstrating this? I ask because it’s my experience that if they actually catch these guys and can convict they get sentences just like everyone else. They probably aren’t gunned down in the street because generally cyber criminals don’t have guns like bank robbers do.
A better question, IMHO, is why businesses or government don’t take cyber security more seriously. The recent Home Depot hack is a good example. I was reading an article about their IT and security staff urging them to beef up their security(which was, of course, going to cost more money) and being told something like ‘we sell hammers’. :smack: That statement there, assuming I am recalling it correctly, is to me the perfect example of the attitude I’ve seen wrt cyber security in many companies and government agencies. What it boils down to is ignorance of the threat (an inability to judge risk and assess the consequences) and just ignorance and entrenched old school thinking, coupled with an inability to understand the cost models given to them by their IT staff and judge the trade-offs between spending a few tens of thousands for a level zero security audit by a respected company and then implementing the recommended changes (maybe a few hundred thousand, depending on how bad they are) and actually creating policies and enforcing compliance with them, and being hit with a hack that could cost millions or 10’s of millions, not just in direct costs but in a loss of confidence in the organization and recurring costs in having to buy insurance that will go up…AFTER you spend that initial money I talked about to do the assessment and mitigation, because they won’t sell it to you before you do that once you are hacked. Oh, and let’s not forget if you are a government agency, having to buy cyber insurance for everyone affected in the hack, which can be a pretty big recurring cost on top of the other stuff.
To me, it’s a no brainer, but I can’t tell you how many administrators, elected officials or heads of companies I’ve tried to explain this too only to get blank looks and a knee jerk rejection of the budget line item because it just costs too much and we don’t really need it. We only sell hammers for the sake of the gods! :rolleyes:
Let’s see:
[ol]
[li]Most businesses have insurance which indemnifies them from losses due to data breaches. They aren’t losing money or not losing much.[/li][li]Most cybercriminals simply sit on what they steal instead of using it.[/li][li]The penalties for first, second or even third time iD offenders are relatively low. So are the odds of catching them.[/li][li]The credit card companies and banks are raking in so much profit that fraud isn’t doing anything except chipping away at that profit. If a cybercrook drained a bank’s entire assets away, THEN they would take it seriously.[/li][li]Property crime is a low priority for most law enforcement agencies. Drugs, terrorism and violent crimes are the priorities and limited resources have to directed to teh important targets.[/li][li]Most fraud sections are overworked and understaffed. Don’t believe me? Call your local police department and report a minor fraud, say less than $500. If they do take a report, they’ll tell you that they don’t expect to catch the perpertrator [/li][/ol]
Sorry, but there are only so many cops and they don’t work 24 hours a day.
The crooks rule the roost.
Sure they do:
http://www.911software.com/hacker-sentenced-to-federal-prison-for-credit-card-fraud-scheme/
Checking the links above, you will see that the sentence may be in the range you suggest, but can also be a lot longer.
I consider a year in an American prison to be a substantial punishment long enough to act as a deterrent to any non-violent potential criminal who is really deterable. The 20 year sentence, documented in my last link, is both inhumane and a draconian waste of my tax dollars.
It’s actually rather stupid to put a financial criminal in jail with a bunch of violent ones for decades on end. It’s as if the government wants to turn out thousands of new fraudsters (they’ll get trained while inside) and the guys will be willing to con people AND hurt them physically.
Yes, Bernie Madoff should rot in prison.
However, the man knows how to run a complex Ponzi scheme and he is never going to leave prison. Why wouldn’t he teach dozens of other cons to do the same? Or hundreds?
After all, he’s never getting out.
A little anicdote to illustrate the problem wih foreign perpetrators. I worked in a major online company back around 2000. We often had hackers try and get in. The security folks would contact the F.B.I. if the attackers were in the U.S. If the attacker was from , say, Russia, the security folks would come over to my desk and I would ping the address into submission (in other words a DOS attack) because the Russians didn’t give a shit.
So for attacks that came from outside the U.S. and Europe, it was up to the company to stop the attack and the attackers never got any heat for the attacks. So the attackers generally based attacks from areas where the law enforcement didn’t give a damned.
As far as I know, things have gotten a little better but it is still an issue. Add in WiFi and certain routing/vpn technologies and it becomes very hard to catch someone. If a guy sitting in the Philippines is routing through Russia to a pwned sever in China, well it is going to be hard to catch the thief.
Slee