Predatory Cyber Crime in South Africa: Current Risks and Realities
The number of people sharing information through Internet facilitated social networking and the growth of smartphones have dramatically increased the risks of cybercrime in South Africa. The public should be warned of these risks and how to prevent them.
Charles Goredema, Senior Research Fellow, Transnational Threats and International Crime Division, ISS Cape Town
Nearly a year ago, a specialist in software risk management and data
storage, Marthinus Engelbrecht, warned that while statistics on violent crimes
in South Africa hit the headlines every day because of their severity, cyber
crimes were much more common and had a much bigger impact. (The New Age,
14.09.2011) Crime analysts and commentators have regularly warned about the
insidious nature of cyber
crime, and, occasionally predicted an upswing in its occurrence. The build up
to the World Cup soccer tournament in 2010, for example, provided a platform
for estimates of scale, some of which appeared exaggerated. There are in fact no
statistics to reflect what was eventually experienced. However, numerous factors
indicate that the risk of South African falling victim to cyber crime has grown
immensely.
There is
general consensus that cyber crime is any crime that is committed by means of a
computer device which is linked to other computers through the Internet. At the
same time, there is much uncertainty about the full range of such crimes and
how they affect our daily lives. In a typical cyber crime situation, the
computer may be used either as an instrument by which to initiate the crime, or
as the target of the crime, as stated by the Council for Scientific and
Industrial Researchers’ Joey Jansen van Vuuren and Marthie Grobler in a study
done in 2009. The
scope of activities which could fall within the definition of cyber crime is
potentially quite broad, ranging from purely malicious or intimidatory
invasions of privacy, to the theft and abuse of personal identity particulars
and the fraudulent manipulation of electronic data to commit theft. At the
level of state security, instances of data destruction through electronically
transmitted malicious software have been reported. A common thread connecting
these activities is the intrusive abuse of computers.
The primary
source of risk is the increase in the number of people sharing information
through internet facilitated social networking and the phenomenal growth in the
use of computer devices in the form of smart mobile phones. Since 2010, the
number of users has grown, partly in direct proportion to the increase in the
number of social websites such as Facebook and LinkedIn, as well as the Blackberry
messenger service, and partly as a result of greater access to smart phones.
Figures released in February 2012 showed that global sales of mobile phones had
escalated from 1,391 billion in 2010 to 1,546 billion by the end of 2011 (International
Data Corporation, February 2012). By that stage there were 5,9 billion mobile
phone service subscribers. South Africa, which boasts 4 mobile phone service
providers, has around 42, 3 million subscribers. Current figures show that at
least 65% of South African households have access to a cellular telephone on
contract, compared to only 20% access to a home-based landline. The highest concentration is in Gauteng,
with 48% of adults having access. Other provinces fall within the range of 43%
for the Western Cape, and the lowest penetration of 24% in the Eastern Cape,
according to forensics expert Craig du Plooy.
The nature of the information transmitted through
smart phones appears to be entirely up to the user. There is a high probability
that users are not aware of the potential criminal uses of some of the personal
information transmitted. Contact addresses and status updates, if intercepted,
can be as strategically important to a fraudster as information solicited by,
and provided to websites of unverified integrity. Information-stealing malicious
software (malware) has become quite common, but is not generally known to smart
phone users.
Ironically, improvements in the speed of accessing
the Internet have escalated the cyber crime risk. With the increase in broadband
access, greater opportunities for cyber fraud arise. Faster access encourages
more use of the internet, but also increases the chances for data interception.
The SEACOM cable operator has reportedly increased bandwidth internationally by
ten times since its trans-continental network came onto operation mid way
through 2009.
Risk also
arises from the use of unprotected computer devices. An unprotected computer
which is connected to the Internet is a weak link that exposes the entire
system to worm-borne attacks. Unprotected computers in the hands of users with
inadequate or no training unwittingly raises the risk of cyber attacks on an
unlimited range of other connected computers. It is a risk pertaining not just
to smart phones, but also to computers donated to charities or to schools.
The use of data storage cards, such as credit and
debit cards is being encouraged in many economies striving to move away from
cash dominated transactions. It is perhaps most common in Africa’s tourist
hubs. Over the years, cyber criminals have targeted data storage cards as media
from which to ‘harvest’ financial account information. Card cloning is proving
to be a resilient form of criminality in South Africa. The statistics on
distribution are however scanty. Anecdotes from reported crimes do however show
a strong representation of the hospitality sector, especially restaurants in
the Western Cape, among the targeted establishments. Analyses by institutions
such as the South African Banking Risk Information Centre (SABRIC) highlight
the concentric structure of crime networks implicated in card cloning. On the
fringes are relatively lowly paid casual workers, mostly serving as waiters or
waitresses, recruited by knowledgeable runners who instruct them to collect data
from credit and debit cards using portable scanners. The collected data is
subsequently transferred to cloned cards for use in commercial transactions or
for fund withdrawals. Data capture from compromised auto teller machines is not
as common as that which is manually assisted, but it remains an area of
exposure.
Knowledge is vital in pre-empting and minimising
cyber crime. In 2010, the South African government declared cyber-security to
be a national security priority. The declaration reinforced the official
resolve underlying the three main applicable statutes, namely the Interception
and Monitoring Prohibition Act (1992), the Prevention of Organised Crime Act
(1998) and the Electronic Communications and Transactions Act (2002). The
legislation is broad enough to penalise unlawful interception and monitoring of
e-mail and text messages. While the law might be in place, the reality is that
its effectiveness depends on its intended beneficiaries being aware of how to
use it and when.
At this point,
awareness of risks and how to mitigate them does not appear to be spreading as
quickly as the escalation in the use of cyber-technology. It is largely confined
to governments, and the senior levels of larger users of e-technology, such as
the financial industry. In 2006 the African Information Security Association
(AISA) was established to promote knowledge and create awareness about computer
security and cyber crime. The United Nations
African Institute for the Prevention of Crime and Treatment of Offenders (UNAFRI) launched the African Centre for Cyber Law
and Cybercrime Prevention (ACCP) in Kampala, Uganda in August 2010 in response to mobile phone
banking. The ACCP
set itself the ambitious task of monitoring cyberspace abuses and the incidence
of cyber crime in Africa.
More information is
required on forms and trends of cyber crime. This might stimulate an
improvement in cyber-crime reports, which will enable better databases to be
compiled. Enhanced databases can support more pro-active investigation, as well
as the identification of crime networks. Given the rapid proliferation of smart
phones, it is suggested that all users should be informed of the main risks and
realities. Simultaneously, service providers should be required to
appropriately secure all devices they distribute.