Computer Crime Research Center


Police say banks not reporting cybercrime in effort to protect image

Date: May 30, 2008

MONTREAL — Online banking and other Internet transactions may not be as secure as many Canadians believe, say law-enforcement officials who accuse financial institutions of under-reporting cybercrime.

Fraud investigators say they are worried publicity-shy private-sector organizations like banks avoid telling police when cybercriminals strike.

"Banks are often victims and we know that they only declare very few of the crimes committed against them," said Yves Francoeur, who heads the Montreal police brotherhood.

The RCMP's anti-fraud centre has tried to push the financial sector to be more up front with authorities.

But they claim the major players in the industry fear their reputations will be tarnished by having embarrassing cases such as identity theft exposed in public.

"It's all about image," said Cpl. Louis Robertson. "It's not in their best interests to do this."

The Mounties believe the $35 million of mass-market fraud reported in 2007 represents at most 10 per cent of all incidents.

"If we extrapolate, we are looking at, minimum, $500 million a year," Robertson said, noting the figure does not include losses stemming from identity theft.

"It's really hard to give a definite picture of the problem to our MPs and the powers in Ottawa when you don't even have a clear picture yourself."

Criminals make use of phishing e-mails and other forms of social engineering technology to steal personal information, which can in turn be used to defraud retailers and financial institutions.

Social engineering fraudsters work from the belief that its easier to trick someone into giving up information than to steal it from them.

Phishing, for example, fools consumers into providing sensitive information by making an e-mail seem to come from a bank or credit card company.

The Canadian Bankers Association denies its members have been reticent to reports such incidents to police.

"We have to all work together to fight a lot of this crime," said association spokeswoman Maura Drew-Lytle. "Banks co-operate with police across the country."

Yet the problem of under-reporting cybercrime is considered serious enough that the Canadian Association of Police Boards has approached the bankers association about developing an anonymous reporting mechanism.

"Even companies that aren't reporting said we need a confidential mechanism to report," said Canadian Association of Police Boards president Ian Wilms.

"What they told us is that reputational risk is their biggest concern."

A recent report on cybercrime by the association of police boards cited the need for mandatory reporting of economic cyber-security incidents.

Without an accurate handle on the extent to which financial institutions are victimized, few police forces are willing to dedicate the resources needed to fight financial forms of cybercrime.

Of the 62,000 police officers in Canada, only about 250 are tasked with cybercrime, usually with a focus on child pornography.

"We have priorities and if we look at the order of these priorities, financial institutions are at the bottom," said Christian Emond, an officer with the Montreal police's economic crimes unit.

Street gangs, organized crime and terrorism top the force's list of eight priorities.

"When you get the eighth spot, the resources accorded are going to be limited," Emond said.

And yet there are several indications that electronic forms of bank fraud and identity theft are getting worse.

Interac, which links bank machines and debit terminals across Canada, pegged 2007 losses from debit card skimming at $106.8 million, up from $94.6 million a year earlier and $44 million in 2003.

"Certainly the losses are increasing, but so are our efforts to fight it," Drew-Lytle said.

Most consumers have been shielded from the effects of increased cybercrime thanks to client-friendly policies at many banks. The $106.8 million taken from debit-card users last year was all reimbursed.

But some wonder how much longer financial institutions will be able to absorb these costs given rapidly rising rates of cybercriminality.

"Those industries that have been hit are sucking up their losses as the cost of doing business," Wilms said.

"As this grows, perhaps you'll see a behavioural change, and you'll be responsible for your own account."

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo