| Previous Section | Index | Home Page |
5 Nov 2008 : Column 86WH—continued
Hon. Members are familiar with the different types of internet fraud. Phishing has been mentioned, as has identity fraud, spamming and scamming. I would like to add another—spoof websites. I do not know whether other hon. Members have suffered from spoof websites. The one that I have in mind was a local site for Sutton’s Liberal Democrats. When we clicked on the link, we found that the site purported to describe Liberal Democrat policy. Apparently, we were in favour of boiling babies, killing the first born and many other atrocious things.
Hon. Members will of course be surprised to find that the organisation behind that site was the local Labour party.
Hon. Members: The new Labour party.
Tom Brake: I give way to the hon. Member for North-West Leicestershire (David Taylor).
David Taylor: I am certainly not new Labour. The hon. Gentleman has raised an important point about political fraud. The hon. Member for Wyre Forest (Dr. Taylor), whose debate it is, used the slogan, “If it looks too good to be true, it’s not true.” The problem with that is that it includes virtually every Liberal Democrat “Focus” leaflet I have ever seen.
Tom Brake: I thank the hon. Gentleman for that intervention. When he sought to intervene on me, I am not sure that he intended to make that point—he clearly adjusted his intervention in an effective and immediate way.
One extremely good point raised by the hon. Member for Wyre Forest is that we could all be subject to internet fraud if we are not careful. Other hon. Members will have read the briefing for the debate, and will have been surprised or entertained to find that no less a figure than President Sarkozy had his bank account hacked into and sums withdrawn. He will no doubt be taking legal action over that, and I hope that he is successful. However, I am pleased to find that he was not successful in taking legal action against a firm that had produced a little voodoo doll in his shape. He took offence to that, principally because the manufacturers suggested that a life-size version should be produced.
I must move on to more serious matters. Hon. Members have mentioned different types of internet fraud. The statistics are alarming—we have had some from the US to allow the Obama link to be made, as well as statistics from the UK. The potential for internet fraud is huge. More than 15 million households in the UK have internet access and that is the pool in which phishers and others can work. In 2007, over 50 per cent. of adults purchased goods or services over the internet. A huge number of adults use the internet and the pool of potential victims is enormous. I will come shortly to a quote from a Minister, which I think underlines the scale of the problem.
Positive developments have taken place since I held a debate on this subject last December. Just over a month ago on 1 October, the Government set up the new National Fraud Strategic Authority. Its remit is to ensure that the criminal justice system focuses on the needs of victims. There should be stronger deterrents to fraudsters, greater public confidence in the response to fraud, and individuals and organisations should be given greater capability to protect themselves. In a press release announcing the new strategic authority, the then Under-Secretary of State for the Home Office, the hon. Member for Gedling (Mr. Coaker) said:
“Fraud is a crime that is second only to the illegal drugs trade in terms of its impacts on the UK.”
I shall return to that quotation in a few minutes.
The strategic authority has an interim chief executive. I hope that the Minister will say at what point he expects that position to become permanent, as that would give more strength to the organisation. The
Government have also set up the police central e-crime unit. That will be operational by spring 2009, and perhaps the Minister will confirm that it is still on track. I know that appointments have been made to it, but it would be useful if he told us exactly how many officers will be based in that unit.
The Minister will be familiar with concerns that have been expressed about the level of funding available for the unit. We should bear in mind what the then Under-Secretary said about fraud as a crime being second only to illegal drugs, and hon. Members will have seen quotations from various other organisations. Gareth Elliott, policy adviser at the British Chambers of Commerce, said that establishing the police central e-crime unit was
“a step in the right direction but £7 million does not seem like very much compared to the cost of cybercrime.”
Mark Williams: My point is about businesses and the issue of responsibility that was raised by the hon. Member for Ribble Valley (Mr. Evans). A survey revealed that one in five employees share computer passwords and 63 per cent. of businesses do not restrict access to any website among their employees. That goes back to the point about the responsibility of the businesses themselves.
Tom Brake: All individuals and businesses have a huge responsibility. I cannot say that I have never allowed someone else to use my login. It happens, and we should try to stop it happening, but we are probably all guilty of not enforcing the right protective measures at some point. As someone who worked for 13 years in the computer industry before being elected, I should know better than most about the importance of maintaining appropriate levels of security. Concerns have been raised about how many resources will go into that unit, and perhaps the Minister could tell us precisely what level the fraud will be reduced by. Has the organisation been set a target that it must meet, and will the proposed £7 million be sufficient for the task? It would be useful to know whether online pharmacies will fall within the remit of the police e-crime unit. Will it have the necessary skills to address that specific and recent development in relation to internet fraud?
As part of the new approach, a national fraud reporting centre and intelligence bureau is being established, and there are similar questions about how many staff will be based in that unit, when consumers can start reporting fraud online and, critically, whether people will be encouraged to report all fraud. Until now, the Home Office has actively encouraged people to report fraud directly to their banks as opposed to the police, and the concern is that the level of fraud may be significantly underreported because banks and other financial institutions do not want people to know how vulnerable they are to that crime. Will the Minister confirm whether people will be encouraged to report all crime to the reporting centre? It may be too early to say, but what can people expect to happen once they have reported a fraud? Is the purpose of the reporting centre to accumulate statistics and identify trends, or is it expected that once fraud has been reported, action will be taken or the matter passed to the relevant police force, so that something concrete will result as a result of the report?
A number of hon. Members have rightly pointed out that business has a responsibility here, as do individuals. It was suggested that financial institutions should take a more proactive approach in writing to their customers, highlighting concerns about fraud and making people aware of the latest scams. Perhaps the broadband companies could also do the same thing. People who use the internet will do so through a fixed line or a mobile phone, and telecommunications companies and those that supply broadband could also communicate with their customers on a regular basis to highlight how internet fraud is developing, what action people could take and what issues they should be aware of or worried about.
I do not want to go over my allotted time, so I shall draw my comments to a conclusion. Clearly, action is being taken, but there are concerns about, for example, whether the £7 million that will be put into the e-crime unit will be sufficient, and whether the unit will be sufficiently resourced to do the job in hand. I hope that the Minister will give us some comfort that it will be able to do the job that it is required to do.
10.30 am
James Brokenshire (Hornchurch) (Con): I add my congratulations to the hon. Member for Wyre Forest (Dr. Taylor) on securing this debate. It is timely, because there is insufficient awareness of the matters involved, not simply by the public, but by business and the Government. We shall make a difference only if all three aspects are properly addressed.
A report for the Association of Chief Police Officers estimates that all types of fraud costs the UK economy at least £14 billion and adds that it would be surprising if the true total was not higher. A separate US study estimates that the annual cost of internet fraud to the global economy amounts to $1 trillion. The threat is rising. Eight out of 10 major businesses were targeted by cybercriminals last year, and according to the police, e-crime is the most rapidly expanding form of crime in this country. One journal has even described cybercrime as “the new drugs.”
A survey for the Government's getsafeonline.org internet safety website suggests that the public feel much more at risk of being a victim of online crime than of being robbed on the street, having something stolen from their car, or having their house burgled. According to the Association for Payment Clearing Services, internet and e-commerce fraud on credit cards was £223.8 million in 2007, which was up by 45 per cent. on the previous year. The number of bogus websites purporting to be those of genuine banks or financial institutions to entrap unwary customers is growing exponentially, and in 2005, according to APACS, there were 1,713. Last year there were 25,797, which shows the scale of the growth, which is continuing.
The online identity firm, Garlik, estimates that online financial fraud has grown by 20 per cent. in a year with more than 250,000 incidents in 2007. Business continues to be targeted with more than two thirds of the members of the Corporate IT Forum, which is made up of technology managers at the UK's largest firms, reporting increases in the amount of hi-tech crime committed against them.
We should not kid ourselves that this problem emanates from overseas. According to the US Internet Crime Complaint Center—IC3—the UK is the second biggest source of cybercrime behind the US, accounting for one fifth of all cybercrime, and as technology continues to change, the threats continue to change. A recent report on a new Trojan virus suggested that it had compromised more than 270,000 bank accounts and 240,000 credit and debit cards in the US, Australia and Poland, using a clandestine drive-by-download approach, which would not alert the user.
Some malicious software is even being offered to criminal networks on the internet with “non-detection warranties.” We are seeing the development of an online black market with criminals buying illegal data from third parties on online data supermarkets, as well as sharing that malicious software. Cybercriminals are becoming much more organised in their approach with the Internet Security Forum suggesting that raids in the virtual world to steal personal information and customer data for financial gain and fraud are being planned like bank raids in the real world. The development of more targeted and specific, unsolicited e-mail phishing attacks incorporating stolen information on the recipient to give the fraud the air of legitimacy, and duping people who would not otherwise have agreed to confirm their banking details following a bogus request are also increasing. They even have their own title—spear phishing.
In its report, “Personal Internet Security” the House of Lords Select Committee on Science and Technology described the Government as having their “heads in the sand” over cybercrime. A senior police officer noted recently that British politicians
“don't seem to have an appropriate sense of fear”
“we need to terrify, encourage or excite them.”
Although there has been some slow movement by the Government since then, business is still not impressed, with 57 per cent. of technology managers at the UK's largest firms saying that they did not believe that the police would deal with hi-tech crime properly. David Roberts, head of the Corporate IT Forum, said:
“IT chiefs in UK PLCs don't think the government appreciates the scale of the cybercrime threat, the seriousness of the threat or how much it is costing.”
“Business confidence in the Government's ability to help them fight cybercrime is at rock-bottom.”
Tom Brake: Does the hon. Gentleman agree that the Government’s approach, whether to identity fraud, internet fraud or the level of resources, is matched by their repeated failure to look after data properly?
James Brokenshire: The data issue is relevant, and I shall address it further and in more detail.
The online payment company, CyberSource, notes in its fourth annual UK online fraud report that
“the lack of interest from the police cited by many merchants seems to be encouraging fraudsters to be ever more bold. In many cases they will place orders with stolen credit cards and then wait outside the victim's house to collect the goods.”
However, I welcome the Government's decision to adopt our policy of creating a special cybercrime policing
unit. The new police central e-crime unit, headed by Detective Superintendent Charlie McMurdie, is an important step forward, and I want to put on the record my recognition of his work over a number of years to highlight the issue and to develop strategies to combat online fraud. We should be under no illusion that the PCECU is a panacea; it is just one part of the solution. As we have heard, there are questions about how it is being resourced and what capabilities it will have, but it is an admission by the Government that they were completely and fundamentally wrong to get rid of the national hi-tech crime unit in the first place. The Government must do much more to deal with the growing threat.
I continue to be struck by the lack of any real urgency, priority or apparent willingness to obtain proper data on the true scale and nature of the problem, or to ensure that, once obtained, the information received is properly categorised, catalogued and analysed. Police databases do not currently distinguish between whether frauds are committed electronically or not, nor do Home Office and prosecution figures, so we do not even know how many criminals are being brought to justice for such offences.
We have made it harder for the public to report such crime and to provide the intelligence necessary to allow a strategic response to identified patterns of threat. The transfer of responsibility for receiving reports of online financial fraud from the police to the banks, which was introduced last April, was a mistake. What sort of message does it send to the public if, having reported an internet banking scam to the police, they are simply told to get in touch with the bank first? At best, it sends out a confusing message about the importance attached to cyberfraud. At worst, it suggests that the Home Office either cannot cope or cannot be bothered with such crime. It also builds even more inertia into a system already in desperate need of a jolt. If a report is received, the bank decides whether that information is reported to the police. It is then at the police's discretion to decide whether that report is recorded and, if it is recorded, whether anything is done about it. We must see what impact the new National Fraud Reporting Centre will have in bridging that gap.
However, the threats are not limited to domestic criminals; there are also sophisticated international criminal networks. It is therefore obvious that we need to work with our partners abroad. I welcome the lead taken by the FBI in Operation Botroast to combat illegal botnets, which are used to carry out mass spam and other attacks. It has also infiltrated criminal networks that buy and sell credit card details and bank log-in information through the DarkMarket website. The Serious Organised Crime Agency, as an FBI partner, played a role in that operation. However, international co-operation is not working as effectively as it should at all levels. As we heard, the British Government signed the European cybercrime convention in 2001 but, seven years on, ratification has still not taken place. Will the Minister confirm when ratification will be complete?
We have heard about data and, indeed, many frauds are now perpetrated using illicit information obtained through clandestine means. Business, all agencies and Government therefore need to raise their game. Certainly, on data security, the Government’s record, to say the very least, is pretty poor. We are obviously all aware of
the loss of Her Majesty’s Revenue and Customs records, but in the past year, according to reports filed by different Departments, the Government lost the records of 30 million people. Recent information disclosed that almost one public servant is dismissed or disciplined every single day for data breaches and inappropriate use of personal information. That matters, because if the information gets into the hands of criminal networks, they will use it to perpetrate fraud on the unwary and unsuspecting, and to cause damage not only to individuals, but to confidence in the internet as a trade and business platform.
The public need better information and advice on how to take active measures to protect themselves. If they should fall victim of an e-crime, they need to be confident both that there is a clear way of ensuring that the information is reported, and that it will be acted upon. We called for the establishment of a fraud and cybercrime complaints centre, linked to an online safety and advice portal that works with industry, to draw together best practice and advice and provide the most up-to-date information. Of course we have getsafeonline.org, but it is not a dynamic portal. It is not updated on a regular basis using the information that comes through on emerging threats. It needs to be much more dynamic in that regard: it needs to be co-ordinated with reporting and policing, and in terms of getting information to the public.
The public need to know that their personal information will not be compromised and that they can take steps to protect themselves against identity fraud and the risk of other frauds that come from it. That is why we would impose legal obligations on financial services companies to report data breaches to the Information Commissioner and, if required by him, to notify their customers so that they can take steps to protect themselves. I also believe that education and awareness of the potential risks in the online environment need to be enhanced. That is why we would promote cyber safety and security as a core part of all information and communications technology training in schools and colleges in this country.
The Government need to raise their game on data security and to set an example. They are not doing that well enough at the moment. That is why we would create an offence of reckless handling of personal data by Government, making it a criminal offence for a Crown servant or Government contractor to lose personal data from their control. It is also why we would scrap the approach of creating ever-bigger databases that, rather than protect us, put us at greater risk of falling victim to fraud-type crimes. Storing all that data in one place produces a kind of honeypot effect. It attracts criminals who would use the information, which will have an impact if the data leaches away.
This country urgently needs to up its game. As CyberSource noted:
“As long as criminals believe they can get away with committing fraud against online merchants, the problem will continue to grow to a point where it may challenge the competitiveness of the on-line model”.
If the Government do not take cybercrime seriously, it would simply reinforce in the minds of the criminal gangs the idea that this country is a soft touch. If they think that, we are all more likely to be the next victim of internet fraud.
| Next Section | Index | Home Page |