Blog:

Hacker High School

Tom Roberts 06 Feb 2014

It was recently reported in the news that students in a US school had planted a key logger into a teachers PC and obtained their credentials and then hacked that computer and altered grade records impacting on a possible 750,000 students records. This is not “new” in the scheme of things and such events have been going on since I was at school (and yes that was a very long time ago and we didn’t have computers at school in those days). Students are told that “their future depends on their grades” and as such many will see this as a “game” to be won, by any means. This doesn’t necessarily stop with grade school and faked diploma’s, work records and even memberships to certain accreditation bodies have been faked and people have gotten away with it, often for scarily lengths of time.

This happens far more than most people might think. This is for multiple reasons, the first of which is that newsworthiness has a shelf life and most incidents would barely register unless it causes a death or significant loss of money. But there is historical precedence for “ignoring” or playing down fraud or fraud related scams. According to the 1998 Department of Justice statistics, of the 1474 arrests for Fraud in the US during that year, only 122 were convicted and only 26 of those went to jail.

In 2000 KPMG highlighted that Fraud involving the theft of currency such as credit card cloning and cheque fraud accounted for over 75% of all reported cases yet it remained one of the least convicted crimes of that period. The second reason it goes so unnoticed is that it can go unreported in the first place. Companies seem gun shy of coming clean to potential losses and would prefer to swallow the costs than admit they were duped or had a process which allowed for embezzlement. We (the public) are really to blame because we often think “you must be stupid to fall for that sort of thing”. But in truth not all Fraud is as obvious as the 911 scams of yesteryear.

There is one (or two if you wish to nitpick) other possible reason, and this is more of a speculative guess as opposed to any hard facts and that is that white collar crime is seen by many as “victimless” as “no one got hurt” and hackers can often be seen as “cool” or “chic”. We have Keanu Reeves and his supporting actors to thank for that, as well as a myriad of “hacking is for cool kids” films which show a skewed view of security and seem to venerate those who steal by being very smart as opposed to lowering themselves to brute force. Being clever is to be applauded, being unethical should be seen as a violation against the whole of society.

The recent report from the UK National Fraud Authority states that:

  1. Between March 2012 and February 2013 there were 58,662 cyber enabled frauds and 9,898 computer misuse crime reports with an average loss of £3,689 per event. Do the maths, that is a lot of money when it’s all added up.
  2. The findings of both the charity and private sector surveys suggest that one-quarter (25%) of cyber enabled fraud victims do not report cyber related frauds externally.
  3. Estimated losses by victim type show that small business bears the brunt of fraud and shows that about a quarter of all fraud (in monetary terms) would be classed as happening in “small business”.
  4. This doesn’t count the unreported losses and the estimates of the actual picture are that large business is JUST as targeted but far better at keeping it out of public domain. This skewed picture means that many (even in our own field) underestimate the severity of the problem.
  5. See the full report at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/206552/nfa-annual-fraud-indicator-2013.pdf

These figures add up and the impact to society is not always obvious. Companies who suffer fraud may have to raise prices to consumers, enact severe process that lowers workforce morale, and create a mistrusting workplace that causes stress or anxiety for staff (which can leech into personal lives), and a myriad of other hidden elements that can impact on production and day to day job satisfaction as well as mental health. If the staff feel that the culprit “got away with it” then such events can even create the seeds of “if they got away with it… maybe I could”, and create a meme of “grab what you can”.

Kids are going to be kids, they will continue to do what kids do to “win” at the game of life. We may underestimate them because they are kids. But kids have the same and sometimes even better skills at hacking than most adults. These kids will be the workforce of tomorrow, and the days of “soft centre” companies that protect themselves against nameless threats out in the big bad world may need to rethink their strategy and make sure they have secure and robust processes and auditing to ensure that the kid that cheats to get ahead in school doesn’t turn out to be the adult who steals his way to a better life because he’s always gotten away with it with little or no consequence.

Am I suggesting that we have special prisons for kids who hack? No. Simply put I am suggesting it’s about time we teach IT security in schools alongside a good dose of Ethics 101 and breed the next generation of cyber-stoppers from a young age and applaud people like Cliff Stoll (in his day) and his ilk who strive to see hacking as harmful to the wider society as opposed to something that “cool kids” do. Lastly I think it’s about time companies come clean on the real picture related to cyber fraud, if only to quantify it and drag this dirty little secret into the light of public opinion as well as to allow law enforcement to take action.