Fear Thy Name is Conficker

Written by

Patrick Gray
Patrick Gray

CEO and Publisher

Over the last few weeks you may have read reports of a computer virus named Conficker. It's sophisticated and has infected millions of systems.

What you might not know is you actually funded its development.

The virus writers of old were trying to bring the pigopolist system down, man, but today, it's all business. Viruses make money for their creators by stealing credit card data from infected systems.

This type of fraud is the backbone of the cyber-criminal economy, and because merchants are generally forced to cover the cost of card fraud[1], they've already factored losses into the price you pay for that six-pack of beer or that new plasma screen telly. You're funding this crap, and it's the banks' fault.

Let's dig a little deeper.

Estimates of the number of computers Conficker has infected range from three million to 15 million. In anyone's language, that's a lot of computers. But Conficker is what many in the computer security field would consider a "garden variety" virus. Aside from its admittedly impressive distribution, it is sophisticated but unremarkable.

So why all the media attention? Well, for starters it's due to "activate" on April 1, and there's nothing the media loves more than a good old-fashioned countdown. Consider it a mini-Y2k to feed the news cycle. And like Y2k, there'll be some fairly disappointed commentators and doomsayers when, on April 1, Conficker quietly upgrades itself on the computers it has infected and starts doing the rather mundane bidding of its masters.

No mushroom clouds. No power blackouts. No blood running through the streets.

The Conficker network -- all of the infected systems can be controlled by the creators of the virus -- will just do what similar nasties have done in the past and start sending spam and viruses to other computers, stealing the credit card numbers of the owners of infected systems via keystroke logging software, and attempting to overload the websites of grey-market Websites.

Those with most to fear from Conficker -- in the short term at least -- are online casinos and pornography sites. The network of Conficker-infected computers will be able to overload selected websites with bogus requests until the target falls over.

It's called a Denial of Service (DoS) attack and through blackmail, it pays. Want your Web site to work again? Give us $10,000 and we'll stop. For now, there are enough payers out there to make DoS attacks worth doing.

But the big money is in credit cards. In fact, if credit cards didn't exist, the size of the cyber "underground" -- the unholy alliance of computer criminals and more traditional fraudsters -- would be considerably smaller.

It works like this. Every time you make a purchase online, there's no way for the merchant to know if you are actually holding the card in your hand. They need the card number (16 digits), expiry date (4 digits), the name on the card and sometimes the three-digit "security" (ha!) code from the back.

So all anyone needs to make a credit card purchase from your Visa or Mastercard account is 23 digits and a name. Modern viruses like Conficker intercept this information from your computer as you type it into your keyboard. And we wonder why the bad guys are raking it in. Alternatively, skilled attackers may break into the systems of merchants or credit card processors and steal large databases containing your credit card data. This, in a nutshell, is how online credit card fraud works.

Card-not-present fraud in Australia has increased by 50 percent over the last 12 months, according to the Reserve Bank of Australia. You'd think this would have the banks scrambling to remedy the situation, but as the liability for most fraud rests with merchants, they have little motivation to invest in solutions.

In fact, a secure online transaction project named MAMBO, being developed by bank-owned payment services company BPay, has been postponed because (it's rumoured) there wasn't a strong enough business case for it to continue. If banks were forced to own the liability for card fraud, that business case would change instantly.

For their part, consumers are protected from fraud on their cards by the card issuers, so they don't have a reason to kick up much of a stink. So the merchants carry the can for the bulk of the fraud and, of course, they factor fraud losses into their prices.

You are funding criminal activity while the banks stall projects that could combat it.

Think of the "fraud premium" on prices (or the infamous "credit card surcharge") as a tax the merchants apply to everything you buy. That "tax" exists to recoup the money destined for large criminal syndicates, which use it to invest in better computer virus technology.[1]

This is what economists would call a market failure.

Over the last several years there have been token efforts to improve the card fraud situation. The Payment Card Industry Data Security Standard, or PCI DSS, forces merchants to make some effort in securing credit card data as it passes through their systems. It's expensive to implement and it's clearly not working. Merchants' systems are still being breached left, right and centre.

PCI DSS is a band-aid on a bullet wound, and governments are starting to notice. The United States House of Representatives Committee on Homeland Security has just held a hearing (today) into the effectiveness of PCI DSS. The Department of Homeland Security is concerned the proceeds of data breaches and credit card fraud are funding terrorist activity.

It's not such a paranoid notion. Last year an influential Egypt-based cleric is believed to have issued a fatwa encouraging young Muslims to engage in cyber and credit card fraud to fund anti-Western activities. (No one has actually found evidence of the fatwa, but on the Internet perception is reality, and the unconfirmed edict is held as truth.) Herein lies another reason to fix the broken credit card model.

So what can we do? Well, we need to make card not present fraud impractical to carry out. We can make a good start by introducing more robust forms of authentication to card not present transactions. SMS or voice biometric authentication would be a good start. Banks in Europe are experiencing some success with portable chip and pin readers.

Alternatively we could move to a completely different transaction model in which your sensitive information is never handed to the merchant, such as in a direct deposit via your online banking. It's a much more sensible way of doing things.

The fact is we are moving toward a more secure online environment, but the progress to date has been glacial. Let's hope that in a few years advancements in transaction security will rob criminals' motivation to create computer viruses like Conficker. Until then, we've just got to ride it out.

[1] Some credit card companies offer schemes that allow merchants to shift liability back on to the card issuer, but they also come at a cost, as does chargeback insurance.

Patrick Gray is the host of the Risky Business security podcast and the managing editor of Risky.Biz, an information security news outlet.