Ripped off online

With cybercrime on the rise, some people are asking: Is the Internet safe to use?

The answer, it seems, depends on who you ask.

Some say the Internet is broken. They say even savvy Internet users can't stop criminals from hacking into online transactions and stealing financial data such as credit card numbers, banking info or other personal data.

Others disagree, saying a prudent approach to using the Internet will keep people reasonably safe.

Both sides agree on this much: Internet crime is increasing and people need to learn how to secure themselves online because cybercriminals often target those who are least protected.

At a tech conference in San Francisco this month, one security expert told fellow software developers that the Internet had become so vulnerable to criminals he wouldn't recommend it to the average person.

If software developers don't improve security soon, he warned, people will begin logging off en masse.

"There is going to be a reckoning," said Alex Stamos, a co-founder of iSEC Partners, a security consulting firm in San Francisco. "We're past the point where I can recommend my mom use the Internet."

The Internet is plagued with security holes. Experts agree on that.

Those vulnerabilities are becoming more apparent every day -- with headline stories about the recent Conficker worm, or the Twitter worm, or the tens of millions of credit card numbers stolen online from a processing center in January. But will the bad press change the public's love affair with the Internet?

The idea that people will be afraid to conduct business online might seem like a faded sentiment from the 1990s, but as more people get ripped off online, it's possible that old sentiment could experience a resurgence.

Take, for example, Cindy Rich, who fell victim to cybercrime last month.

Rich, a county employee who lives in Santa Rosa, awoke one morning to discover just over $2,000 stolen from her bank account with Redwood Credit Union. A criminal had gotten access to her online PayPal account -- likely by hacking into her home computer or tricking her into revealing her password by sending a scam e-mail.

Through her PayPal account, the culprit was able to withdraw the $2,200 from her checking account. Her husband quickly contacted the bank, which was able to recover the money.

But Rich's reaction to the event should strike a warning note in the ears of anyone who makes their living doing business online: "I sometimes hesitate to turn on my computer now," she said.

The Internet's dark side

Rich is neither paranoid, nor is her experience all that unique, according to some experts.

"Most people just don't see the evil that is coming through the wall into their computer," said Jeffrey Aguilera, founder of Red Condor, a Rohnert Park company that provides spam protection.

The lines running into nearly every home in Sonoma County can connect people not only with the wonderful promises of the Internet -- such as news, music, movies, friends and family -- but also to some of the most seedy criminals in the world.

"The guys on the other end could be the mafia, or an unemployed Russian nuclear engineer who has been recruited into a crime syndicate," Aguilera said. "They are not just some bored high school student with extra time. These guys are out there to make money, and they're doing an awful good job."

The number of cybercrime complaints increased 33 percent last year, rising to an all-time high of 275,000, according to the Internet Crime Complaint Center, which is jointly run by the Federal Bureau of Investigations and National White Collar Crime Center.

A quarter-million cybercrimes might seem high, but it in no way represents the total number of online crimes committed against Americans. The center only tracks complaints it receives, and not ones that go to the Federal Trade Commission, the U.S. Secret Service or other agencies that also track cybercrimes.

Cybercrime is worsening

The number of cybercrimes committed in 2009 is expected to be the largest yet.

"With the downturn in the economy, there is going to be an uptick in this type of crime," said Jack Bennett, a special agent with the FBI's cybercrime unit in San Francisco.

It's not just residential Internet users who should be worried, Bennett said. Small business owners should be concerned too.

He described one scenario where a small business could be compromised through a security hole in its Web site. Criminals, once having breached the site, can install their programs on a business computer and get passwords or account information.

"If they get into a business owner's account, they might extricate $100,000 from him," Bennett said. "Once it goes to a Moscow bank, and is withdrawn, it's gone."

The FBI is seeing an upswing in that type of crime, he said, because most mom-and-pop shops don't have the money to invest in high-end security like corporations with large IT budgets.

Security solution years off

Unfortunately, it could be another 10 or 15 years until security experts design systems capable of adequately protecting the average user, Aguilera said. And he is in a unique place to know: He's on the front lines of what is working best. Red Condor's anti-spam solution was recently ranked best overall by a reviewer for the tech publication Info World.

Aguilera reluctantly hooked his mom up with the Internet, but only after he set Windows Vista's security settings all the way up, stripped his mom of admin rights so she couldn't install any programs, and configured an external router to act as an additional firewall.

"I set my mom's firewall up so stringent it's almost like she's not using the Internet," he said. "And even all that doesn't make me feel totally comfortable that nothing will happen."

No one is safe

As Internet security stands now, people who are doing nothing wrong online -- just visiting a friend's MySpace page or opening an e-mail attachment from a co-worker -- can become infected with a computer worm that will give criminals access to their bank accounts, credit card numbers, or any other data stored or typed on their computer.

Even if you've installed the latest patches to your operating system, and are running an anti-viral software with all the latest updates, your computer can still become infected. Taking those precautions, which are highly recommended, do lower your risk. But those programs cannot protect against a new virus. When a new virus hits, someone has to find a way to stop it before Microsoft and security vendors can send out an update to protect against it.

All around the world, every day, criminals are busy developing new ways to exploit computers. So common online activities can turn into a cybercrime when criminals are able to infiltrate, say, a Web site and install a little program called a script that exploits a security hole in someone's computer.

It's possible that Rich visited such a site, allowing a criminal to install a program that monitored every password she typed on her computer.

Just about everyone agrees that security holes are far too prevalent online. But perhaps the biggest security vulnerability online is the average user, who is largely uneducated about best practices for Internet use.

"We can minimize your exposure to risk, but in the end, it comes down to user education," Aguilera said. "You can't do stupid things that increase your risk."

Is safe behavior enough?

By following safety guidelines, the Internet can be as safe as any other form of communication, said Joanna Crane, program manager of the Federal Trade Commissions Identity Theft Program.

"If you're smart, and you're vigilant, and you keep your anti-malware software updated, and your computer patched," Crane said, "you will minimize your risk and the Internet is an efficient place to do business."

But even Crane, who practices safe Internet use, had her credit card stolen online. Special agent Bennett also had his credit card stolen online, as did Aguilera. "I do this for a living, and I still had my information stolen," Bennett said.

All three believe their credit card numbers were stolen when a company they did business with had its Internet security breached. Bennett said his was stolen when intruders hacked into the Westin Hotel computers. Crane had two stolen -- one when TJ Maxx was hacked, resulting in more than 45 million credit card numbers being stolen and another one this year when the credit card processing company Heartland Payment Systems had its security breached and tens of millions of credit card numbers were stolen. Aguilera isn't sure where his was stolen, but was notified by his credit card company when someone tried to buy plane tickets from Buenos Aires to Ecuador.

As for whether the Internet is still safe to use, Bennett said it might be a moot point.

"The Internet is a genie out of the bottle. It is going to be there," he said. "Now we need to learn how to manage it."

-- You can reach Staff Writer Nathan Halverson at 521-5494 or nathan.halverson@pressdemocrat.com. Check out his blog at DailyGeek.Pressdemocrat.com or on twitter.com/eWords.