By Roger A. Grimes
June 7, 2017
Rob a real bank and the chances are you’ll get less than $8,000 and you'll probably be arrested (55 percent of bank robbers were identified and arrested in 2014, the latest year for which FBI statistics are available) and go to jail for years. The negative risk/reward ratio contributes to there being fewer than 4,000 U.S. bank robberies each year.
Contrast that with cybercrime. The FBI says it receives over 22,000 cybercrime complaint reports each month, and there are likely many more crimes being committed. The average reported loss is almost $6,500, and from over 269,000 criminal complaints, only 1,500 cases were referred to law enforcement. Although the FBI’s most recent annual reports didn’t include conviction rates, its 2010 report, with a similar number of complaints and referred cases, resulted in just six convictions. That's one jailed cyber criminal for every 50,635 victims, and these are just the cases reported to the FBI.
Steal a million dollars online and you’ll enjoy your newfound wealth with almost no worry. The difficulty of collecting legal evidence of the crime, jurisdiction issues (Russia and China are not going to respect United States search warrants and arrest requests anytime soon), and law enforcement’s cybercrime enforcement abilities make it a low-risk venture. And, as I said before, you don't have to be smart to be a successful hacker. Any kid or crime syndicate can do it. All you need to know is a few tricks of the trade.
The secret of hacking
The secret to hacking is there is no secret. Hacking is like any other trade, like a plumber or electrician, once you learn a few tools and techniques, the rest is just practice and perseverance. Most hackers find missing software patches, misconfigurations, vulnerabilities, or social engineer the victim. If it works once, it works a thousand times. It’s so easy and works so regularly that most professional penetration testers (i.e., people paid to do legal hacking) quit after a few years because they no longer find it challenging.
In my 30 years of professional penetration testing, I’ve hacked into every single company I’ve been hired to legally break into in three hours or less. That includes every bank, government agency, hospital and type of business. I barely got out of high school, and I flunked out of an easy college with a 0.62 grade average. Let’s just say I’m no Rhodes scholar.
On a scale of one to ten, with ten being the best, I’m maybe a six or seven, and I can break into nearly anything. I’ve worked with hackers that I’ve thought were tens, and they almost universally think of themselves as average. They can list off the people they think are tens. And so on. This is to say that a lot of people can hack into anything they want to. There’s no official count of hackers in the world, but the number is easily in the upper tens of thousands. Luckily, most of them are on the good side.