Time to quote some Doctor Who.

Firstly, some quick background.  I discovered Doctor Who at the age of 5, and have been a sci-fi fan for the 40+ years since.  Every year, my wife buys me a Doctor Who calendar for my “office” wall.

On a seemingly unrelated subject, a question I’m occasionally asked when speaking to journalists is “Dealing with scammers every day must make you suspicious of people”, and they seem surprised when I tell them the answer is in fact quite the opposite.  If anything, it makes me want to trust people more.  I expect scammers to lie, and am never disappointed.  However, the people I deal with on a daily basis out in the “real” world shouldn’t be tarred with the same brush as the scammers in my eyes.  It may seem naive, especially given what I do, but assuming everyone is lying to me would make me bitter and twisted, and I refuse to let the scammers do that to me.

What does this have to do with the calendar?  Each month has a quote from the associated Doctor (first for January, second for February and so on).  This month’s quote comes from the fifth incarnation, and it goes like this:

“I think it does us good to be reminded the Universe isn’t entirely peopled with nasty creatures out for themselves.”

Words to live by.

Oh the glamour of it all!

Sometimes you’ll hear me talk on the radio about scams.  Sometimes it’s a simple matter of being called up on the phone to do the interview, but sometimes I’m asked to go to the local BBC studio.  That’s where the fun starts.  I’ve made no secret of the fact I live in South Wales, and the closest studio to me is the Swansea one.  Back last year I got to visit the London studio, and believe me it’s an entirely different experience.  That place is HUGE!  You have to be given a security badge with your photo on it before you can even enter the glass labyrinth inside.  With Swansea, unless you know exactly where the studio is, you’ll walk right past it.  It’s not exactly the most well marked place.  It’s also a shared building, so only the bottom floor is BBC.

It’s also worth pointing out that, depending on the time of day, it can take up to an hour to drive to it due to the traffic.  Yesterday’s journey took just over 50 minutes.  Once you find it, you press a buzzer on the outside door and someone will let you in and lead you the dozen steps to a tiny, windowless room.  Imagine sitting in something like this:

So there you are, in this claustrophobic box, staring at a row of sliders you can’t touch (though you can now adjust the headphone volume, which is a new feature) and with headphones on that let you hear the broadcast in one ear and your own breathing in another, waiting to be introduced.  They ask you to turn up 10 minutes before the interview is due, but if they’re overrunning, you can be sat there for 20 minutes or so.  Eventually you’ll hear a voice over the broadcast letting you know you’re up next.  The host talks about the story, introduces you and you get about 3 minutes to show what an “expert” you are to the listening public while making sure to get the site’s name out there as many times as you can.  After that, it’s time to leave and make the drive back home.  Two hours for three minutes of air time, and yet I will jump at the chance each and every time as it helps get the word out and warn people about scams, and that’s the most important thing.

Protection for fraud?

In the last months a lot of articles were published about the new General Data Protection Regulation (GDPR) and the effects on the way the Internet we knew will work after May 25.

We are reading “data protection for all individuals”, which means consumers of Internet products provided by companies having an online presence.

The GDPR attempts to solve a problem that has escalated over time: the lack of responsibility for personal privacy shown with each and every breach into a high profiled company site, ending with a dump of the clients personal details offered for sale on the dark web. Sadly, the solution is only a partial one where the real companies are expected to do more to protect their clients‘ privacy. Cases like Equifax or Ashley Madison and even Facebook are just recent examples of how bad the things may end up for a consumer when the company declines any responsibility. Under the new regulations, a real company can be fined for not respecting the privacy of its clients. But what about a fake company, active online, stripping their victims of any privacy while defrauding those victims?

The new regulation does not have a single section dealing with cyber-crime. There needs to be elements making it clear that there is no privacy for online fraud.

The consumer (average user of the Internet) is targeted on multiple fronts, starting with fake accounts set up on reputable companies sites, and ending with fraudulent websites. The fake characters and the fraudulent websites have something in common: both pretend to be something/someone they are not, while defrauding people who are unaware they are communicating with a fake online entity.

Fake accounts

Most of the reputable sites use disclaimers to avoid any responsibility in the case of a consumer defrauded from the usage of their services. Others (a small minority) are posting blacklists of fraudsters, including the details used to register the fake and fraudulent profiles (email addresses, phone numbers, IP addresses). There is no common way of dealing with these cases and most of the details of the fraudulent profiles and accounts are deleted without being preserved. Not saving those elements in a standard way makes it impossible to predict/prevent any fraud, and makes any cyber hygiene impossible in the online environment. Aggravating this, even if a reputable site removes a fake account of a fraudulent entity, other sites will be not aware about this, and that fraudulent entity can act and victimize consumers on another similar website. The fake accounts problem affects everything online; classifieds (e-bay, Amazon etc), social sites (Facebook, Twitter etc.), dating sites and even search engines or Youtube. The entire Internet infrastructure is corrupted and poisoned by fraudulent activities tolerated and ignored by the ones supposedly able to clean their own online space, but not doing it properly. Everywhere online, the user is asked to flag or report fake profiles, inappropriate content or abuse – in most cases that is the only way of removing badness. Many of these reports are ignored. What about the websites/platforms own responsibility? None. There needs to be clear rules about this area, and those rules need to be implemented in a uniform and consistent way. There also needs to be responsibility for the way someone is abusing the services provided for committing fraud, as well as accountability for the platforms allowing those fake profiles to use their services while defrauding other users if the reports are ignored.

Fake sites

The fake website problem is another fraud on a different level. A fake website is created based on lies; a lie about who the entity owning that site is, a lie about what that site is doing, a lie about what that site asks for, and/or has to offer.

Fake sites and domains come in all shapes and forms. Some are used in Advance Fee Fraud (AFF), some are mixing the AFF area with phishing, some are mixing AFF with spreading malware, and some are used for Business Email Compromise (BEC). While there are fake websites with malicious domains using fraudulent content to deceive, there are domain names with no content actively used in other fraudulent activities online (for example, domains created only for the email address).

Thinking logically, we would assume that once reported for being involved in cyber-crime, a fraudulent domain name will never be online again. The practice shows otherwise. Suspended by a registrar, the very same domain can be recycled after a while, sometimes even re-registered with the exact same registrar. In theory, the regulators assume the domain name would be used in good faith, but let’s be honest: how many real and normal people have a legitimate reason to use a domain name similar to a bank or company name, or even have their own FBI or DEA?

No Registrar, not even ICANN, keeps a blacklist of the domain names suspended for being used in fraudulent activities, nor a list of the parties serially abusing the domain name system while registering such domains. Those elements are never shared between Registrars, which would avoid a bad actor abusing the domain name system, while registering domain names. Those details are hardly ever shared with law enforcement, despite fraud being committed. This action may avoid the re-use of the same domain names for other frauds. This may also avoid the “bad domain history” problem for an honest person trying to buy a domain name in good faith, without having any idea what type of activity that domain was used for before. Again, basic cyber hygiene is totally ignored, and the reason is simple; to register a domain name, the registrant has to pay a fee. As long as the money is paid, no one seems to care about how valid the registration details are, despite policies pretending otherwise. Nobody seems to care about how “clean” the money is, if it is obtained from online fraud, or if the domain name is used to perpetrate more online fraud. It makes no difference. From the GDPR point of view, the bad actor registering fake sites used in fraud becomes a private person using the services provided by an online active company – ICANN and the Registrars.

Theoretical speaking, there are procedures to be followed for mitigating online fraud. Those procedures might look great, but as long as applying them is optional and inconsistent from one Internet services entity to another, the entire “due diligence” becomes a bad joke at the expense of consumers.

Recently, the bad joke expanded in a concentrated effort to hijack the EU new-to-be GDPR laws to the detriment of the consumers. The main area where these actions happen targets the online presence of domain names, regulated by ICANN, and more specifically the WHOIS (registration) details of domain names active online. For the“ public good“, the identities of people registering domain names will become hidden. There is no difference made between real entities and fake ones, natural persons and businesses. There is also no mention about the responsibility after reporting the domains used for fraud. There is no accountability for the groups having the responsibility of checking before the fake entities become active online.

Before the GDPR, it was possible to use a proactive approach to identify bad actors registering fake sites before a victim gets defrauded, and act on specific elements to get those domain names suspended. After GDPR, this action will be harder to do, and those basic elements will not be available anymore. A potential victim searching for a loan, checking a WHOIS for the company promising that loan, then seeing it was registered in Benin can avoid the fraud attempt. Another potential victim checking a potential business partner pretending to be in Europe, also on their website, while being registered in Nigeria can also avoid the trap. This will become impossible when there will be nothing to check effectively.

Online fraud costs society over a hundred billion dollars in losses each year. Online fraud creates a major disruption at all levels of society. Instead of a proactive approach meant to stop online fraud, we see only shields built to avoid responsibility. The ones paying the price are the regular users of the Internet, and their opinion doesn’t matter – they are only statistic quantities, justifying actions twisted to serve commercial goals.

An example:

Only one percent of cases reported to the UK authorities results in prosecution, yet less than ten percent gets reported. This means that only 0.1% of cyber-fraud cases are resolved. Or, to put it another way, 99.9% of cyber fraudsters are never apprehended and successful.

Some real statistics:
Less than 400 million domain owners protected, at the risk of more than 7 billion users by a group of countries making up less than 8% of the world’s population, denying over 92% percent some of their basic human rights. Commercial interests and political ego games are more important than the consumer protection.

The Internet is becoming an increasingly hostile territory for the regular user. There is decreasing trust in anything happening online, and more and more people are paying the price for regulators ignoring online fraud. That lack of trust in the online activities expands into the real world. It is time to bring the Internet back to what it was supposed to be; a safe place for the ones using it. The proposed GDPR implementation in WHOIS creates a lack of transparency, and denies regular users a valid option for doing due diligence to protect themselves. This is not the way to achieve the goal of privacy, nor consumer protection.