back to article Is digital fraud big in UK? British abacus-botherers finally have some answers

Reports of fraud have doubled, according to official statistics – because the Office for National Statistics (ONS) is now including cyber crimes in its figures. The UK's ONS reckons, in crime statistics released last week, that more than two million computer misuse offences and 3.8 million online fraud offences took place in …

  1. HAL-9000
    Alert

    Rethink time

    Security at the software level alone is obviously not working, perhaps it's time for a rethink of the hardware layer and the architecture that runs a great deal of the worlds' computational capacity (x86), or perhaps (gasp) the way the interweb is engineered.

    Something's not right obviously, and can we afford the current escalating arms race?

    1. Alister

      Re: Rethink time

      Security at the software level alone is obviously not working,

      I would question whether that is the case. A large majority of cyber crime takes place because of human failings. The software is capable of being made secure, however shoddy implementation is often the cause of poor security.

      Consider that a lot of leaks of personal information from the web are still being made possible by SQL injection attacks. This is (should be) a solved problem - but still people write software which allows it to happen.

      The other major vector for poor security is passwords, people either use weak passwords, or use the same password in more than one place, Again, using passwords is not intrinsically insecure - done properly it can be very secure - but the way people do use passwords is seldom correct.

      So It's not the software that is the problem, it's the wetware that uses it.

      1. Paul Crawford Silver badge

        Re: Rethink time

        Exactly. So much of the problem is simply crap software.

        This is made more crap by the mind-set that software is expected to be shit, so bugs are accepted, vendors not held to account, and people simply click on "OK" without reading that pop-up asking of shaftmewithatoastingfork.exe should be allowed to run.

        Second aspect of a lot of this is the lack of 2FA for important stuff, or the "two factors" both relying on a single device like a phone that may already be compromised.

      2. Dan 55 Silver badge

        Re: Rethink time

        I would respectfully disagree that it's just a user problem, when it comes to certificate management, browsers and OSes are currently at Windows Paint's level.

        You should be able to use certificates to designate certain devices as yours, denying logins from other devices as they don't have them, and it should happen automagically.

      3. Brian O'Byrne

        Re: Rethink time

        Alister,

        Software is definitely the problem. Software needs to be written for the people that will use it, instead (at best) it is written for a hypothetical user that always behaves exactly as required by the system. At worst it is written without any regard for the user at all.

        Imagine an office building for 1000 staff. The elevators are designed to carry up to 1000 people per hour. When everyone arrives at about 9am there are queues of up to an hour to at the elevators. Is that because the people are stupid for all arriving at the same time or because the building was designed without proper consideration for how it will be used?

        That is not a perfect analogy, but a lot of software issues are like that; there are assumptions made about user behaviour that are not valid or not safe. As an industry we then blame the user for not behaving as designed. We should blame the system for being badly designed.

        1. Alister

          Re: Rethink time

          @Brian O'Byrne

          I think you misunderstood my point, slightly. I'm not saying it's always the user who is at fault, what I meant was that there is no fundamental weakness that means you cannot write secure software.

          It is humans who write the shoddy software which still allows SQL injection to be an issue, even though it is perfectly possible to write software without that vulnerability, or most others.

          As you say, software is often designed without a clear understanding of it's use. But that too is not the software's fault, it is a human failing.

          I was responding to the OP who said Security at the software level alone is obviously not working, and the point I was making is that it is eminently possible to write secure software, it's just people don't.

  2. Anonymous Coward
    Anonymous Coward

    that's the problem with crime rate..

    It's based on collected and classified crimes. Once you declassify a crime, or re-classify it, it disappears statistically from view, even if it's still 'there'. I see sexual offences are rising, but it could still be the same rate, it's just that a) more people are reporting it and b) other crimes have been re-classified as sexual offences. Does it mean more sexual offences are committed? not necessarily... and herein lies the problem.

    Lies, damn lies, and statistics.

  3. Peter Sommer

    What is a "cybercrime" ?

    There is no UK offence of "cybercrime"; the closest one gets is in the 1990 Computer Misuse Act. But most cybercrimes are in fact prosecuted as frauds under the 2006 Fraud Act, or as conspiracies, harassment, extortion, offences against children etc etc - you get the general idea. That's the first problem with cybercrime statistics. The second is the absence of any generally agreed definition - a now notorious BAE estimate endorsed by the Cabinet Office included "industrial espionage" as a very large element, although there is no theft of trade secrets law in the UK either. Next, how do we deal with guesses about attempts - is each stupid easily detected Nigerian or "update your security details" scam included in your statistics - or each bit of malware spotted by your A-V software? Or only "serious" attempts?There is no universally accepted answer to any of these. And then there's the question of value - it's clear enough when cash actually disappears, but do you include remedial costs, or the consequences of a lost business opportunity, or to reputation?

    The only real answers are for statistics compilers is: make the figures large if you want the press coverage

    1. Anonymous Coward
      Anonymous Coward

      Re: What is a "cybercrime" ?

      Good question - for example, does it now include credit card fraud ?

  4. Mahhn

    Education

    Maybe it's time to do public education on basic home IT security.

    Public service, AV companies can sponsor it to market their wares.

  5. Anonymous Coward
    Anonymous Coward

    The problem with improving personal security on-line is that the powers-that-be always regard it as an opportunity to reduce personal privacy at the same time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like