'Wild West' of online fraud finally gets cyber-crime law


Posted at Feb 27 2013 11:29 AM | Updated as of Feb 27 2013 10:33 PM

SAO PAULO - Long seen as the Wild West of online fraud, Brazil is about to implement its first cyber-crimes law in an attempt to protect its rapidly expanding banking and e-commerce industries.

But online security experts warn that jail terms ranging from two months to three years may be insufficient to fight electronic fraud, a problem that cost the local financial industry $700 million in 2012, according to Brazil's banking association Febraban.

Brazil ranks among the world's top producers of spam, Trojan viruses and phishing, according to security firms, and until now Brazilian cyber criminals have operated in the open, trading stolen data in online forums and posting YouTube videos of themselves with wads of cash.

"The sense of impunity is huge," says Fabio Assolini, a senior malware analyst with the online security company Kaspersky Lab in Sao Paulo. "Brazilian cyber criminals feel free to work."

Online theft has not only hit the financial industry but is also casting a shadow over Brazil's growing online retail market, a $12 billion industry that recently attracted heavyweights such as U.S. online retailer Amazon.com Inc .

Experts say Brazil is finally moving in the right direction. However, they warn not to expect an overnight fix for Latin America's largest online marketplace.

"We see an awakening phase in Brazil," says Limor Kessem, a cyber crimes specialist in Tel Aviv with online security firm RSA, a division of EMC Corp.

"Things will really start changing once criminals see other people are being arrested and going to jail."


The law that takes effect in April was hastily passed last year after Carolina Dieckmann, a Brazilian soap opera star, had dozens of intimate pictures stolen from her computer and leaked to the Internet.

Security experts say the "Carolina Dieckmann Computer Crimes Law" should, for instance, help improve Brazil's dubious position as a global producer of phishing, a type of crime where hackers redirect users of financial services to fake sites to steal their passwords and other confidential data.

Reported phishing attacks in Brazil jumped 95 percent last year, according to official figures. RSA says Brazil is the world's fourth-biggest host of such attacks after the United States, Britain and Germany.

What makes Brazil so attractive? Lack of regulation on the one hand coupled with a fast-growing base of new Internet users.

With just 48 percent of its population online and a swelling middle class, Brazil is seen as one of the new frontiers for Internet services and e-commerce.

"As digital inclusion increases so does the number of potential victims of fraud," says Demi Getschko, director of Brazil's Internet regulator, NIC.br.

Brazilians also use Internet banking at rates comparable to more developed markets. Almost 50 percent of the country's bank accounts are accessible online, similar to U.S. levels and twice the Latin American average.

Brazil's banking industry says it was able to stem losses from electronic fraud by 7 percent in 2012, mainly through stronger authentication protocols.

Febraban welcomed the law but says it wants more.

"I am sure the penalties will have to be revised in the future because these crimes are much more dangerous than they are made out to be in the law," said Marcelo Câmara, Febraban's director of fraud prevention.


Brazil's phishing boom is in part the consequence of recent success in fighting credit card cloning, which typically involves a store employee swiping a card through a device that steals the information stored on its magnetic band. Almost all new cards issued by Brazilian banks have chips embedded, which makes them harder to clone.

"When you close their door to the physical world, criminals move to other channels such as e-commerce," says Jacinto Cofiño, head of payment system risk for Latin America and the Caribbean for Visa.

But Visa, the world's largest electronic payments network, says the losses due to electronic fraud average only five cents for every $100 in transactions.

A tighter security environment could also force Brazilian hackers to cover their electronic tracks and start targeting banks elsewhere in Latin America, said Kaspersky Lab specialist Assolini.

"Until now they were stealing here," he said. "But once the law kicks in they will start attacking other countries."

Earlier this month Kaspersky reported a barrage of attacks involving Brazilian Trojans - a type of virus designed to monitor and steal users data - against the Web sites of 60 banks in Argentina, Bolivia, Chile, Colombia, Ecuador, Mexico, Paraguay, Perú, Uruguay and Venezuela.

Brazilian cyber crime, the security firm said, is becoming a regional problem.

"The fact that there isn't cross border cooperation or legal hurdles means that unfortunately cyber criminals will enjoy easy money and impunity for some time," Kaspersky said in a recent report.