8.3 Cybercrime and Identity Theft

Understanding Cybercrime

Cybercrime refers to criminal activities carried out using computers, networked devices, or the internet. As more of daily life moves online, these offenses have become one of the fastest-growing categories of crime globally. For criminology, cybercrime raises important questions about how traditional theories of crime apply when offenders and victims may never meet face-to-face and can be separated by thousands of miles.

This section covers the main forms of cybercrime, methods of digital identity theft, key legislation, and practical defenses against online threats.

Cybercrime Forms and Definitions

Hacking is gaining unauthorized access to computer systems or networks to steal data or cause damage. There are two broad categories worth knowing:

• White hat hacking is ethical hacking done to identify security vulnerabilities so they can be fixed. Companies actually hire white hat hackers for this purpose.
• Black hat hacking is done with malicious intent, whether to steal data, disrupt services, or extort victims.

Phishing is the attempt to fraudulently obtain sensitive information (passwords, credit card numbers, etc.) by disguising communications as coming from a trustworthy source, like a bank or employer. It comes in more targeted forms:

• Spear phishing targets specific individuals or organizations with messages tailored to seem credible to that particular victim.
• Whaling is spear phishing aimed at high-profile targets such as corporate executives or public figures, where the potential payoff is much larger.

Malware is an umbrella term for malicious software designed to infiltrate, damage, or gain unauthorized access to computer systems. The main types include:

• Viruses self-replicate by inserting copies of themselves into other programs or files, spreading when those files are shared.
• Trojans disguise themselves as legitimate software. Once installed, they give attackers remote access to the infected system.
• Ransomware encrypts a victim's files and demands payment (often in cryptocurrency) for the decryption key. High-profile ransomware attacks have shut down hospitals, pipelines, and city governments.

Methods of Digital Identity Theft

Identity theft in the digital space goes well beyond someone stealing your credit card number. Here are the primary methods:

Social engineering manipulates people into giving up sensitive information or taking actions that compromise security. It exploits human psychology rather than technical vulnerabilities.

• Pretexting involves creating a fake identity or scenario (e.g., posing as an IT support technician) to trick victims into revealing personal information.
• Baiting entices victims with offers or rewards, like a free USB drive left in a parking lot that installs malware when plugged in.

Skimming captures credit or debit card information using hidden devices attached to legitimate payment terminals or ATMs. Victims typically have no idea their data was stolen until fraudulent charges appear.

Malware-based theft uses malicious software to quietly collect personal information from infected devices:

• Keyloggers record every keystroke, capturing login credentials, credit card numbers, and private messages.
• Spyware monitors user activity and collects personal information without the user's knowledge or consent.

Data breaches occur when attackers gain unauthorized access to databases containing personal information. These often result from inadequate security measures at companies or institutions. A single breach can expose millions of records at once.

Synthetic identity theft is a newer and harder-to-detect method. Criminals combine real information (like a stolen Social Security number) with fabricated details (a fake name and date of birth) to create a fictitious identity used to open accounts or make purchases. Because the identity doesn't belong to any single real person, it can go undetected for months or years.

Combating Cybercrime and Protecting Privacy

Effectiveness of Cybercrime Legislation

Several major laws attempt to address cybercrime, though each has significant limitations.

Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers and networks in the U.S. It was originally passed in 1986 and has been amended several times since. Critics argue its broad language can lead to over-criminalization of relatively minor offenses, such as violating a website's terms of service.

Electronic Communications Privacy Act (ECPA) protects electronic communications from unauthorized interception in the U.S. It includes the Stored Communications Act (SCA), which governs when service providers can disclose stored electronic communications to the government. The ECPA was written in 1986, and many legal scholars consider it outdated because it doesn't adequately address modern technologies like cloud storage and social media.

General Data Protection Regulation (GDPR) sets guidelines for the collection and processing of personal information in the European Union. It's considered one of the strongest privacy frameworks in the world.

• Grants individuals the right to access, correct, and delete their personal data
• Requires companies to obtain explicit consent before collecting and processing personal information
• Imposes fines of up to €20 million or 4% of global annual revenue for non-compliance

California Consumer Privacy Act (CCPA) enhances privacy rights for California residents and has influenced privacy legislation in other U.S. states.

• Grants consumers the right to know what personal information is being collected and to opt out of the sale of their data
• Requires businesses to implement reasonable security measures to protect consumer data

A recurring theme across all of these laws is the tension between keeping up with rapidly evolving technology and the slow pace of legislative change. By the time a law is passed, the threats it addresses may have already shifted.

Protection Against Online Threats

Preventing cybercrime involves both individual habits and organizational practices.

Strong password practices:

• Use long, complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters
• Never reuse the same password across multiple accounts (a breach on one site then compromises all your accounts)
• Enable two-factor authentication (2FA) whenever available, which requires a second verification step beyond your password

Regular software updates and patches:

• Install updates promptly, since they often fix known security vulnerabilities that attackers actively exploit
• Use antivirus and anti-malware software and keep it up to date

Secure network connections:

• Use a virtual private network (VPN) when connecting to public Wi-Fi, which encrypts your traffic so others on the network can't intercept it
• Secure home Wi-Fi networks with strong encryption (WPA3 is the current standard; WPA2 is the minimum)

Cautious online behavior:

• Be skeptical of unsolicited emails, messages, or calls requesting personal information
• Verify the legitimacy of websites before entering sensitive information (check for HTTPS and confirm the URL is correct)
• Avoid clicking suspicious links or downloading attachments from unknown sources

Monitoring financial accounts and credit reports:

• Regularly review bank and credit card statements for unauthorized transactions
• Monitor credit reports for signs of fraudulent activity, such as accounts you didn't open

Organizational measures are just as important as individual habits, since many of the largest breaches result from employee error or weak internal policies:

• Employee training should cover cybersecurity best practices and how to recognize phishing attempts and other social engineering tactics
• Incident response planning means developing and regularly updating a plan to minimize damage and ensure swift recovery after a breach
• Security audits and penetration testing proactively identify vulnerabilities before attackers can exploit them