October 2008 Archives

France may have emerged as a country with one of the world's most developed online banking markets but as far as online security goes, this country surely has a long way to go. How else can you describe the online security of this country's financial system where even the President can find that his personal bank account has been hacked by cyber criminals?

Early this week, France's online security systems received quite a jolt when the French Cabinet revealed that online hackers managed to break into the personal bank account of President Nicolas Sarkozy, and "swindle" some money -- not a large sum though. The government admitted that this incident demonstrated that the country's online banking security is not perfect.

Amusing as this incident may look on its face, it is nevertheless a serious breach, especially considering that close to half of France's Internet users access their bank accounts online. Additionally, Europe's online banking also has its highest adoption rate in France.

Just the day after the Sarkozy bank account embezzlement was reported, comScore -- who claim to be a leader in measuring the digital world -- released a report on the French online banking sector. This, in essence, said that France is one of the world's most developed markets for online banking.

comScore found that of the 37 global markets, France ranked fourth in penetration of online banking, with 46 percent of French Internet users accessing online banking sites in August 2008.  Countries ahead of France are Canada (64 percent), the Netherlands (51 percent) and Sweden (47 percent).

With an average of 6 usage days and 7 online banking visits per visitor, comScore said French Internet users also exhibited high frequency in accessing online banking sites. Clearly, as says Herve Le Jouan, Managing Director, comScore Europe, online banking has emerged as "an important business sector in France, with one of the highest adoption rates in Europe," and "with competition in the online banking sector in France already fierce, marketers need to ensure that they meet their needs online, and ultimately capitalize upon the growing popularity of the sector."

But have the French banks and the other eCommerce players in that country realized that? It doesn't seem so if reports that are available on the website of Bank of France, the country's central bank are any pointers to that problem.

For instance in a report on Internal Security Standards, Bank of France said, "The Bank found that reports from a number of large institutions showed that internal standards lacked proper support, often being limited to control points for transactions handled by their branch network."

Of course one can argue that the situation was what it used to be since that report was published in 2006. Still, not much may have improved since then. For that matter, an IDG News Service report warned even last year that French banks and merchants are not putting in place anti-fraud technology to catch bad online transactions.

According to Marc Andries, head of the oversight division for the Bank of France, the country's central bank, who was quoted in that report saying that  some banks, deterred by high deployment costs, don't even have some basic security measures in place, such as a password authentication system.

Of course, a big reason why online security measures are lacking in France is that its online users themsleves are not highly security conscious and are often reluctant to use even passwords. "French customers are somewhat exceptional in that they show medium adoption rates (of security) despite having the most concerns," said Thomas Meyer, the author of a Deutsche Bank study on online banking in Europe, released last year.

Still, it is strange that unlike in USA, where the Federal Financial Institutions Examination Council, which supervises U.S. financial institutions, mandated that all banks implement a double-layered authentication system at the least, the France's central bank imposes no such binding.

According to Andres -- as quoted in the IDG report -- the Bank of France does not dictate how banks should strengthen their security or what technology they should use.

But perhaps the Sarkozy incident will change all that now. Reports suggest that it has rattled the powers that be with Luc Chatel, secretary of state for consumer affairs, admitting that the French government has realized no one is safe from Internet fraud and that more work needs to be done to tighten Internet banking security in France. Additionally, according to the national crime agency, the country has seen a 9 percent rise in Internet fraud offenses this year.

Meanwhile, this incident should at least come as an eye-opener for the close to 14.8 million  French Internet users who visited at least one online banking site in August 2008. Interestingly, most of these users are matured enough; consumers in the 35 - 44 year age segment and those 55 years and older visit online banking sites most frequently, says comScore.

What do creators of a software application used by criminals do when their product gets so popular that it starts attracting worldwide attention? Simple; just declare themselves bankrupt and go underground until the hoopla dies. And then come back with a new version to make up for the lost business.

That's exactly what has happened with Neosploit - the most notorious and most advanced infection kit used by online criminals to infect computers with malware for extracting sensitive information remotely.

Neosploit first surfaced in the e-crime scene in 2007 and was sold undercover over the Internet through blogs and ICQ sites to online criminals. But unlike its infamous predecessors such as MPack, Icepack and WebAttacker, it was far more advanced. For instance, say experts, Nesploit could hunt out vulnerabilities in operating systems like Windows and Linux and launch attack codes automatically. Besides it also had sophisticated statistical analysis and management tools.

This is why it gained popularity so rapidly: within a year not only were criminals but also almost everyone concerned with online security were downloading it -- some for e-crime use, while others wanted to crack how it worked to take counter-offensive actions. Then in an ironic twist, e-pirates started circulating a pirated versions to cash in on its demand.

"Its notoriety even attracted the attention of many federal security agencies around the world that started tracking it to pin down its users," says Ian Amit, director of security research at the Tel Aviv-based information security company, Aladdin Knowledge Systems.

Scared by this attention, Neosploit's creators adopted a smart survival strategy. They announced on a website in July that Neosploit was facing financial problems due a draught of orders and is going out of business.

According to RSA FraudAction Research Labs -- first to notice the announcement -- the creators said; "Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself."

The announcement also added, "We tried hard to satisfy our clients' needs during the last few months, but the support had to end at some point. Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time."

Interestingly, so convincing was that announcement that Computerworld, while reporting the shutdown, said Neosploit "has been retired from service by its criminal creators, most likely because it was priced too high compared to the competition."

"But in hindsight it seems it was just a clever tactic to escape attention because they were underground for just a few weeks," explains Amit who discovered in August that Neosploit was not only back in circulation, but had come out with an enhanced version called  Neosploit 3.1.

It was indeed a smart move because no one in the security industry anticipated that a newer version of Neosploit would be doing rounds. "In fact, when newer attacks that contained the signature of Neosploit were noticed a few months back, even the largest of security vendors thought that it was some other new hacking software," says Amit.

Amit believes Neosploit creators actually planned to create a newer version of Neosploit but since they didn't want to attract any more attention, they simply went out of circulation for a while. "My guess is when they came back, they did it equally surreptitiously because the newer version of this software is not available for downloads though the earlier used bogging or ICQ sites. Quite probably Neosploit 3.1 is selling though direct selling channels now," says Amit  

Neosploit's re-introduction is a truly notable instance of how the huge demand from the cybercrime world is forcing cybercriminals to come up with innovative strategies to beat the system. The profitability of developing newer versions in Neosploit's case not only compensated them for going underground and losing a few week's or month's business It also allowed the infamous software to move from established, but compromised distribution channels to others and still thrive, says Amit.

Nevertheless, now that Neosploit's resurfacing has been identified, it will be easier for the security industry to identify some of the unsolved attacks of the past few months and even predict newer attacks, says Amit.

Meanwhile, digging for the spoils of Neosploit 3.1 has led Amit to yet another significant discovery -- the existence of the biggest organized e-crime operation ever. But that's another story which I will cover in greater detail soon as a feature in Digital Communities. So keep an eye out...

Having failed to achieve the ambitious target it had set for itself during its formation in 2005, OLPC seems to have embarked upon a corporate restructuring strategy to reenergize its famous one-laptop-per-child concept.

According to Satish Jha, President and CEO of the recently formed OLPC India, the Boston-based foundation OLPC has set up region-focused operations in various parts of the world to give an impetus to the proliferation of the concept under an "organized format."

Already OLPC has been divided into about 4 broad divisions, with a CEO in each responsible for crafting and implement ambitious growth strategies in their respective regions. These are OLPC Europe, OLPC China, OLPC India, and OLPC Ibero-America and The Caribbean.

OLPC Europe is headed by maverick Belgian entrepreneur Walter De Brouwer  -- as President and CEO -- who is most known for forming the European company Starlab, the first private blue sky research laboratory. OLPC's website says that OLPC Europe will function with the cooperation of Foundation Roi Baudouin, a NGO that assists in funding and setting up of investment syndicates for least developed countries, newly industrialized countries and failed states. This division also has Matt Keller of the World Food Program as a Director with the responsibility of introducing and distributing the XO laptops in Europe, Middle East, and Africa.

Similarly OLPC China, headed by Anthony Wong -- the ex-honcho of China Telecom -- is charged with promoting OLPC's mission in China and South East Asia. And Satish Jha has taken up the responsibility of XO's penetration in India, coupled with a few other regions in Asia that are outside the domain of OLPC China.

OLPC Ibero-America and The Caribbean -- headed by Rodrigo Arboleda --, as the name suggests, will look after all the Spanish-speaking countries in the Americas, Brazil, and the Caribbean region, while the whole of North America would be under OLPC's president and COO, Charles Kane. Additionally, according to Jha, OLPC has also roped in Jorge Castañeda, the "very powerful and influential" ex-foreign minister of Mexico to promote XO in the newly industrialized federal constitutional republic.

In each of these regions according to Jha, OLPC will work with partner organizations if required to achieve its objectives. "OLPC still believes that there is a huge potential for XO globally and for it to be able to tap that potential, OLPC had to create a corporate format."

But that doesn't mean that these divisions and the OLPC Foundation will function as a company. "We are not hardcore businessmen," says Jha. "We are evangelists; we are organizers. We will act as managers to oversee the entire distribution framework of the concept while leaving the implementation and many other related functions to partners who are experts in their domains."

Ever since its launch, with a brazenly ambitious target of providing 100 million laptops by 2008 to the children of all the developing countries -- and thereby changing the face of third world education systems from a paper/slate-based system to a screen-based one -- OLPC has not only failed to achieve its target but has suffered from a multitude of setbacks, some of which almost threatened to send OLPC to the brink.

The setbacks were serious. Starting with doubling of the cost of an XO-from the $100 estimated initially to current cost of around $200, to the challenge of a similar low-budget computer for developing countries launched by Intel, to the exodus of key officials from the project, this project has faced rough times.

However, OLPC's most daunting challenge was -- and continues to be -- its acceptance globally. Although the concept received glowing reviews at the time of launch, few governments around the world were willing to bet on it. In fact, in an admission of OLPC's disappointing track record, Negroponte even told The International Herald Tribune last year that he had "to some degree underestimated the difference between shaking the hand of a head of state and having a check written."

Consequently, against the targeted 100 million XOs, OLPC has been able to ship about a million so far.

Nevertheless, it appears Negroponte and his current team remains determined to turn around OLPC's fortunes. "We are doing all that it takes to achieve our goals," says Jha who is stationed at the OLPC headquarters in Boston. "Starting from re-structuring OLPC as an organization, to roping in some of the most influential heads of operations, to even tying with world's top names for manufacture (Qunta of Taiwan to manufacture XO) and distributing XO (with Amazon.com for its Get-One-Give-One program that starts in November)  OLPC has adopted a renewed strategy to aggressively promote the concept again globally."

And that thrust will start from China and India, adds Jha. "China and India are our biggest markets," he says.

OLPC India plans to distribute "three million XO laptops in India in the next 12 months" and engage "all the state government, large companies, social foundations, and NGOs to give a new thrust to the OLPC agenda in India."

The cost of the XOs in India is going to be fairly high -- at about $300 each. But that's because the XOs will come with additional features like a camera, USB ports, and even a CDMA modem for wireless Internet connection, says Sumit Chowdhury, of Digital Bridge Foundation, the NGO in India that launched XO on its own about a year back. It is now one of the implementation partners of OLPC India.

According to Chowdhury who is the CIO as well of Reliance Communication, one of the largest telecom service providers in India, the CDMA (USB) modem that The Digital Bridge Foundation has "specially developed" for XO, "not only connects the XO to the Internet wirelessly, but also turns the XO into a phone -- a first in the world so far."  

Although Anthony Wong couldn't be reached to comment on OLPC's China plans, Jha said that China's potential is as big as India's, since "just like India, every fourth child in the world is a Chinese."

Even so, the question that still remains (despite the renewed thrust, potentials, et al): can the XO really reach the target that OLPC India ( and OLPC China as well for that matter) has set for themselves? Only time will tell.

Photo by Jarrett Campbell. Creative Commons License Attribution 2.0 Generic