Nigel's Eyes

20230619 - Two immediate and free ways for governments to reduce on-line crime

Online crime works because a) people don't think "fraud first" and / or b) companies hold data that puts companies at risk.

Your home is your castle and, by extension, so is your computer and, by further extension, your mobile devices. You are, or should be, entitled to feel safe within your own walls, surrounded by a moat, with the drawbridge pulled up.

Or at least your front door locked and bolted.

But the best fraudsters operate by stealth: they don't arrive with a trebuchet or a battering ram: they knock and ask to borrow a cup of sugar, or tell you that there's a hole in your roof. And so you let them in and then they go to work.

Today, the safety is your email. It's yours and you have full control over it so it's safe, right? So when someone says "click here", where's the harm?

Report after report says that the single most successful e-mail frauds, from phishing to romance scams and a whole range of commercial and other offences, happen because people click on links they don't know.

But in fact, in many, many cases, people click on links they think they know but it turns out that where they are taken is not where they expected to go.

HTML has, since inception, that allows the designer of a webpage (or a "rich text" or html mail) to insert something you recognise or trust and hide something else behind it.

Let's be clear: it's like sliced bread: innocuous enough and very convenient but of itself it's not very good for you.

This is how it works: a "tag" called "a href" is created between two angle brackets and a web address is inserted. Then either an image or some text is appended and the "tag" is closed. When you look at that in a webpage you see the image or text. You don't see the web address.

So if what's inserted is the logo of your bank, then you trust it, you click on it and you go to --- well, wherever the link takes you. When you get there, you might be a victim of fraud or your computer might automatically download and run malware ranging from stuff to steal the contents of your hard-drive to ransomware.

So, how can you minimise this risk? Insofar as it's in actually web pages on the web, realistically, you can't. You just have to pay attention and, if your browser displays the actual link in a bar on your screen, don't click until you have carefully checked it (and by carefully, make sure it's correct and not a fake address that looks like it belongs to your bank, etc.).

In e-mail, it's simpler: just set your e-mail program to display "plain text" only. And if someone sends you "rich text" send their mail back and tell them to resubmit it in plain text.

What can governments do?

They can ban all rich text/html in e-mails. Then there can be no graphics and no hidden URLs.

They can insist that e-mail programs do not have the ability to send out e-mails in rich text/html.

And to make sure that this is driven home, make the use of this form of e-mail illegal.

It's not difficult: "It shall be a criminal offence to issue any e-mail containing any code other than plain text."

How will it be evaded? People will send out e-mails that say "click here to read your message as a web page. Like the Law Society of England and Wales does and hides the address it goes to (it's a tracker by a third party (no cookie warning) that collects your information and then sends you onto the LawSoc's own page. Naughty, huh?

Who will complain? Marketing people and those who think that communications must be pretty.

Who will like it: everyone who has ever been conned or had malware arrive on their computer.

The second thing that should be done and is both free and cheap is a global ban on any company retaining any card payment data. Credit card information held by retailers and/or credit card processors is one of the main sources of finance for organised crime over the internet. The Dark Web is awash with lists of stolen credit card numbers. There is a good reason for those numbers to be retained for a short time for example to effect refunds. But even then, there are techniques for reducing that need.

The idea is simple: if the numbers aren't stored, no amount of hacking will reveal them.

"it shall be a criminal offence for any person other than a card processor to store any information relating to the holder of a card other than the holder's name and the final four digits of the card number after a card payment has been completed or declined." Why keep the last four digits? Because the user will need to provide the full card number, for the same card, to obtain a refund.

See. Easy. Free. And it will cut off two of the most widely used attack vectors for opportunistic and organised crime.