I was recently reminded of the truism that security is about managing risk. You cannot eliminate all risk. When we think of cyber criminals we tend to think of phishers, criminal gangs writing malware to steal passwords, and eBay scammers. So we try to deal with “reputable” companies to eliminate the risk of theft and fraud, but as you will see, this does not always work out.
Cybercrime is simply crime using computers and/or the internet to commit crimes. There are a variety of variations on this definition, but I think this one works just fine.
Dealing with a reputable company can minimize your risk of fraud or theft, but it does not eliminate it. Before I get to my specific example, it may be useful to explain “Bait and switch”.
Bait and switch is essentially when a company offers a product at one price, but then fails to honor the offer. They may fail to honor the offer by offering an inferior product or by raising the price.
I recently booked a round trip flight from Frankfurt, Germany to Amsterdam, Holland on KLM airlines using the Northwest Airlines web site. Northwest Airlines sent an email confirming my purchase of the flight for the price of $313.63. The next thing Northwest airlines, who incidentally are the same as Delta Airlines now, did was to silently cancel my ticket. Northwest knew that I would be stranded in Frankfurt with my only real option being to pay KLM, who is also Air France, more than twice as much money to make my appointment in Holland.
This appears to be a particularly nefarious bait and switch scam in that the airlines know the customer can’t easily back out of the deal. One might say that it was an accident, but logically if it was an accident then Northwest Airlines would have accepted responsibility for the increased fare and refunded the difference since they were exclusively at fault for not notifying a passenger when they cancel a ticket. I contacted Northwest and their response was that they were sorry, but they would accept no responsibility for their actions. I would guess they have a pretty lucrative kickback scheme with Air France and that the money will be pretty hard to trace.
You can dramatically reduce risk by dealing with well known companies, but you can’t eliminate it. In this case, Northwest Airlines used the internet, which is how I booked my tickets, to perpetrate what appears to be a classic bait and switch scam.
I’ll figure out who the appropriate law enforcement agencies are and see what they think about it. In the mean while, I’ve filed a complaint with the Better Business Bureau.
Director of Technical Education
Author ESET Research, We Live Security