By Robert Muggah and Nathan Thompson for Foreign Affairs
Brazil is at the epicenter of a global cybercrime wave. The country ranks second worldwide in online banking fraud and financial malware, and the problem is only getting worse. According to official sources, the number of cyberattacks within the country grew by 197 percent in 2014, and online banking fraud spiked by 40 percent this past year.
Yet much of the Brazilian public remains unaware of the scale of the problem. Policymakers are beginning to respond to the threat, but only in a piecemeal way. If Brazil is to successfully combat cybercrime, a much broader public discussion is required. Legislators, law enforcement agencies, businesses, civil society organizations, and private citizens all need to take cybersecurity much more seriously.
The cost of cybercrime to the Brazilian economy is unclear. One report claims that data theft in Brazil accounted for $4.1 billion to $4.7 billion in losses in 2013. According to other sources, the equivalent of about $3.75 billion has been hacked from the Boleto Bancário, a payment method managed by the Brazilian Federation of Banks, since 2012 alone. This amounts to roughly 495,000 transactions involving 30 banks and affecting more than 192,000 victims. There is almost no publicly available data about which banks are affected.
Most of what we know comes from surveys of businesses and users. A recent study of 450 São Paulo businesses determined that small- and medium-sized businesses are most at risk. Hackers use basic phishing strategies, typically sending e-mails to obtain sensitive information such as passwords and credit card details, and company employees often unwittingly download malware. Some of these vulnerabilities are easily mitigated, including by requiring employees to periodically reset passwords and avoid downloading suspicious messages.
The fact that so many Brazilians are victims of cybercrime is not entirely surprising. After all, 58 percent of the country’s 200 million citizens are connected to the Internet. This compares with 49 percent for both China and South Africa and 18 percent of Indians. At least 45 percent of all banking transactions in Brazil are digital. Brazil, with 130 machines per 100,000 adults, has a greater density of ATMs than the United Kingdom (127 per 100,000), France (109 per 100,000), or Germany (116 per 100,000), according to World Bank data.
And legislation to prosecute cybercrime is weak. Approved in 2012, the so-called Carolina Dieckmann Law established hacking as a criminal offense. But would-be cybercriminals may not find the law’s weak penalties (just three months to one year in prison and a fine) to be much of a deterrent. The U.S. Personal Data Privacy and Security Act, by comparison, comes with sentences of up to five years and/or a fine for similar crimes. Also in the United States, the Computer Fraud and Abuse Act, a law protecting federal computers and banking systems, imposes penalties of up to ten years in prison (with up to 20 years for the second and subsequent offenses) along with hefty fines (up to $250,000 for individuals and $500,000 for organizations). The European Union also recently stepped up sentencing guidelines for the hacking of personal data and other cyberattacks that impact critical infrastructure.
Brazil’s policing capacity is also limited. Law enforcement officials lack the resources to crack down on these types of cybercrimes, and although Brazil’s Ministry of Science, Technology, and Innovation and Ministry of Defense are trying to stimulate more private sector involvement in cybersecurity, their efforts are taking time.