 Good afternoon. I'm happy to be here. The idea today is to share a bit about what we do in France against cybercrime. So it's not really related to your conference, but it's actually a very technical topic on some aspects. It's also a sociological subject. And it's something that I suppose you've all been confronted with at some point in time, and you might have a role to play in this area. So just a few words about myself. I'm a colonel with the Gendarmerie Nationale. That's one of the two national police forces in France. We're in charge of everything that's outside big cities. So that's roughly half the population and 95% of the territory. And in the Gendarmerie we have 100,000 police officers doing all sorts of police activities. So from criminal investigations to safety on highways, etc. My background is technical. I entered the Gendarmerie as an engineer back in 1995. And since 1998, I've been working on the cybercrime-related topics, first in forensic laboratory as a head of our forensic IT laboratory near Paris. And then I've been in different positions looking at strategy against cybercrime, managing a cybercrime unit at a national level most recently. And since last May, I've been appointed as a Chief Digital Strategy Officer. It's a new position that we've opened in our organization to deal with digital transformation and our strategy against cyber threats. So it still has a cyber aspect. But we also try to cover all other aspects of innovation related to digital tools, techniques, methods, platforms to enhance the work of our law enforcement agency and our relationship with the public. So it's actually a very interesting new challenge. But I'll be focusing on cybercrime in my talk. The idea is to give you a view of how things have evolved over the past 20 years. I'm not going to cover everything, so it's going to focus on roughly three aspects. But if you have questions more generally about how we envisage the digital transformation of our organization, feel free to ask those questions at the end of the talk if you wish. So we have roughly 30 minutes and then 10 minutes for questions, and then you need to rush for your social events. So that was about me. So just to give you a broader focus to be sure that you understand all the actors in terms of law enforcement. So Interpol, that's the police cooperation organization at an international level. The main base, the main headquarters for cyber are in Singapore. It used to be in Lyon, where Interpol is still set, but there's a special team that was set up five years ago in Singapore. It's in the Interpol international global complex for innovation, and they have the cybercrime division there. It's people from law enforcement but also people from the private sector who work together. Now if you look at Europol in Europe, the police cooperation organization is Europol. There's a special unit that was created in 2015. It's called the European Cybercrime Center, and it's organized on three main pillars. One is called Cyborg, as you can see on the left, against cyber attacks, malware, etc. The second is called Terminal, against credit card fraud. And the third one is called Twins, that's against child pornography. So those are the three main priorities, but actually they tend to also work on drug trafficking on the internet, money laundering, etc. All other aspects that are related to the cyber arena. Today I guess there are around 80 or 100 staff at Europol dealing with cybercrime. Since 2015 it's made us do a lot of progress. So it's a good opportunity that was developed there. In France, so coming back to France, I told you there are two national police forces. One is called Police National, the national police. The second is called the Gendarmerie. We also have customs. We also have consumer protection agencies and so on. But the two main actors are the police and the Gendarmerie. And for the Gendarmerie, our network of specialized investigators is called CyberGend, or CyberGendarmerie. And it's 270 specialized investigators all over the country. And 3,800 local correspondents. So the specialized investigators, they do forensics, advanced investigations. And the local correspondents, they have a much shorter training and they're in direct contact with the victims, with the public, dealing with cybercrime directly on the field. At the top of that pyramid, there's a team of roughly 50 people dealing with cybercrime on the internet. So looking for crime on the internet. Or my former unit, now they're 25, also dealing with IT forensics. So that's the people working against cybercrime in the Gendarmerie, in the police. There's a similar organization, but they're organized in a different manner. But there's specialized investigators against cybercrime as well. Okay, so now my first focus, credit card fraud. So if we look a bit back in time, so these are not credit cards or these are not counterfeit credit cards, actually it's counterfeiting of telephone cards. So for the younger ones, we used to phone booths. There's no longer any one of them working in Paris. And you needed a special smart card that contained units, 120 units or 50 units. And you could make a phone call with that. The counterfeit here used programmable smart cards. So at the bottom on the left, it's self-made. So there's a programmable component, a programmable chip from different manufacturers. And there's the memory. You write the program in the memory and in the programmable component. And then you can fake the functioning of a telephone card. Then they moved to programmable cards. So it's all included in one card that physically is just like a real smart card, but you can reprogram it. And, well, that's useful for people who want to make phone calls, but it's not a lot of money. So they moved to banking cards. So we had a series of evolutions in credit card fraud. And the ID here, what you see on the screen, is the chip and the contacts from a programmable card that has been put on top of a real banking card. But before doing that, they copied some of the information from the real chip on the banking card. So that no longer works, but it was an attack that was possible. And they just reproduced some of the encryption keys, signature keys, actually, that were used on the smart card. This is another type of device. It's more simple, the ID. So maybe you've encountered some, it's just to copy the magnetic stripe from the smart card. And to copy also the PIN code. You can see many of those on different websites describing how they work and how they store information or transmit information and so on. The bad guys are always developing new techniques. And actually in this case it's not the bad guys developing the techniques. It's a university in the UK. And actually it's interesting. So they discovered that it was possible to do a man in the middle attack on the dialogue between the smart card and the smart card reader. This is no longer possible, but they found a flaw in one of the first implementations of those cards in the UK and Europe in general. This is a case we had more recently in 2013. So there's the technical aspect is interesting, but also the organization behind it. So the technical aspect you see from the picture, the difference between the two, is that on the left the card seems to be inserted all the way inside and on the right inserted just a bit. So there's actually half the card that's almost out of it. So on the left it's a modified version of a terminal that was used to copy the magnetic stripe. So to copy the full magnetic stripe you need the card to go fully inside. And when the card owner removes the card, there's a magnetic stripe reader that copies the stripe. And it's also modified keyboard. Actually they plugged into the actual keyboard of those devices and they were able to copy the pin code. So normally that's not possible. Actually they managed to go around the safeties that were set by the developer of that specific type of point of sale terminal. And they were able to open it. Normally if you open it, it becomes a brick. You cannot use it anymore, but they found a way around it. And they modified the actual shape and the content of the terminal. And then they needed to replace the point of sale terminal inside shops. So what they did, they sent people around France, around Germany with modified devices and they swapped the devices with the modified ones. So inside the shops, the shop owner wouldn't notice and they were able to copy cards using that process. So in that case it's just to copy the data from the magnetic stripe and the pin code. So what that allows you to do is to withdraw cash from cash machines that don't use the pin. So that's the case in many regions in the world outside of Europe or outside of America. But it's less and less the case. In Southeast Asia for instance now the chip card is used as well. So it's not possible anymore. So in this case it was not people from our usual suspect areas in Europe that were behind it. It was people from Canada, from Quebec who were organizing that. And it's actually motorbike gangs who usually do drug trafficking. And they invested in credit card fraud and they paid for people to move around the world and do that. So it took us one year with the Surte du Québec in Canada with Europol and the BK in Germany to identify the guys and arrest them. It was quite an interesting case. So that's the evolution of credit card fraud. And the last aspect is this one. So in France we have an organization that's in charge of collecting numbers around fraud against credit card fraud. It's called the Observatory on the Payment Card Safety or Security. And since 2006 we've been collecting information from banks. So that's official numbers. And I extracted some of the numbers. So the actual volume of fraud hasn't evolved a lot. It's roughly the same percentage of the overall transactions. So because we've had the chip cards for a long time in France and in Europe. So there's not a lot of fraud. But because there are a lot of transactions it's still a lot of cases potentially. Roughly every year there could be around one million users that ask their bank to change their credit card because of fraud. So the numbers on the chart. It's the evolution of the share of fraudulent transactions committed on the internet against the total number of fraudulent transactions. So in 2006 we had between 6 and 10% of transactions that were done illegally on the internet today. So those are the numbers from last year. The total fraud on credit cards that is done on the internet for France is between 60 and 70%. Depending on if you look at the value of the transactions or the number of fraudulent transactions. So that's 70% of roughly 2.1, 2.2 million cases. So the actual evolution is we've moved from fraud that was mainly copying cards and using them to withdraw cash. And today it's mostly data that is stolen from online merchants and then is used on the internet. So credit card fraud is really part of cybercrime today even more than before. Second aspects, if you look at attacks against computer systems, you can have the same chart in all countries. So it's not that different. So if you look at all the types of illegal activities, illegal access or malware, botnets, denial of service. It's mostly international, the origin of the attack. Sometimes it's local. The local attacks are mostly around fraudulent access companies buying on each other even in France. Some malware cases originate from France, but most of the cases the suspects are in other parts of the world. For us, other parts of the world is the east of Europe, North Africa, sometimes South America. And depending on what country you're sitting in, the suspects are very often in another country. And I suppose Russians are attacked by suspects from other parts of the world as well. The actors, and I'm going to go more in detail about that, it's mostly isolated people with some form of organization. They work with people who do the coding. There are some script kiddies, but most of what we see is some form of criminal ecosystem with people developing, selling and using. And then in some cases there's a real organized crime. And I'm going to give one example. So CEO fraud is something that has developed a lot in France over the past let's say five to eight years. The idea is to convince a company that you're the CEO of the company or an important member of the organization. And you order your company to send a wire transfer money by hundreds of thousands of euros to an account outside the company. Because you need to do a transaction because you have a contract negotiation and so on. And the fraudsters behind that, they use information from inside the company to pretend that they're the CEO. To pretend that they are the right owners of that money or the right owners of the company or that they have the right to do that. In some of the cases that were identified by Symantec in this case, the companies that were victims were first attacks by people who were supposedly based in Ukraine. So they attacked the local network of the companies to get information about their banking accounts, their security procedures, the names of the people working there and so on. Sometimes they managed to get information to be able to redirect telephone calls etc etc. And in this case the people organizing the fraud were based in Israel. And then the money would go through Cyprus, Malta, Southeast Asia and so on. So this is the type of cases where we see a form of organized crime. The organized crime is mostly in this case based in Israel. And they were using other people from Ukraine that they hired maybe online or maybe they met with them. I suppose they met with them. And this is a typical case that we have. On those cases, there's been hundreds of thousands of euros leaving France and leaving other countries. And since a couple years ago, let's say three years ago, US is struck as well and other parts of the world. But what we see most of the time, it's not organized crime. It's more of an ecosystem of different people with different roles on the internet. And from developers, coders, people who develop malware, who find vulnerabilities, who exploit using those vulnerabilities, who develop distribution platforms, so malware distribution platforms. So they develop tools and then you have people using them. Other actors are managers of infrastructure, so they're going to rent servers inside a bulletproof hosting organization or inside an actual organization that does web hosting. So they're going to buy servers or rent servers and then run them again back to the bad guys. And they're going to protect their identity from investigations. There's people developing crime as a service, for instance, credit card check. So you can check if a number is still valid or people managing online markets. So where the bad guys meet with each other, chat online. It's mostly web forums. They've moved to a tour, for instance, on onion servers, but it's still web-based forums. And then there's people who are also useful, middlemen, to do money laundering, money mules, and people who organize that. And all those people work together to develop a botnet, for instance. So you need malware. You need server to distribute it. You need the server to coordinate your botnet. And then you're going to need people to resell the information you've collected. So if you've collected passwords, there's people specialized in laundering of those passwords and so on who are going to sell it for them. So actually there's actors in the cybercrime world who have no technical abilities. They just pick from different services. And what is really important behind that is that for us, when we start an investigation, the situation can move from one day to the other. So for instance, you have a victim or you have a series of victims. They've downloaded malware by clicking on a link from a specific server. And then their passwords are sent to another server. So a typical botnet setup. The next week, the server who is being used to distribute the malware is used to do something else. To send phishing or to host phishing or to do legitimate activities. And there's no way you can investigate anymore because it's been erased. The reason is they tend to move a lot. Or they simply want to change partners because they get cheaper costs or because the guys were arrested and so on. So it's a very moving environment. So just to illustrate that a bit differently. So this is a typical setup for a ransomware distribution. You receive spam or you visit the website and you're redirected or your browser is redirected to an exploit platform or an exploit kit. And without you having to click anything sometimes, the computer is downloading malware and then connected to the command and control server. After that, your personal data goes away or your computer is used to send spam or used to do a deny of service attack. In the case of ransomware, it's just used to collect your payment information in this case. In many cases, once there's one malware on the victim computer, there's other malware that is going to be installed. So in this setup, you have different people managing the different aspects. So people doing the spam to distribute the links to victims. People developing the malicious JavaScript to redirect the victims to the exploit kits. People hacking into servers to install the malicious JavaScript in this case. People managing actual advertising that is used to redirect people as well. People selling the exploit kits. People who are going to install the exploit kits and so on and so on. Different people doing the different aspects. Sometimes they've never met each other and they work together. And so that's the difficulty of the investigations today. You've seen many cryptolockers in the press and maybe you've been victim or your members of your family have been a victim. In some cases, like in this French news article, actually the actual stories comes from elsewhere. The bad guy seems to be someone not very motivated in the end. It looks like his mother told him to stop doing it because he says, I'm very sorry that I stole your money and I blocked your computers. You can download all your information from this server on mega.co.nz and I will never do it again. What this shows you is that in this case the guy behind that just bought a kit to distribute his ransomware. He did not develop anything. He just learned how to do it on the internet and then did it and made a number of victims. And that happens a lot. In those cases, it's mostly people from inside countries in Europe, inside France, inside Germany, etc. Who are the suspects behind that? Then the last aspect of my talk. So who's heard about WannaCry? Yeah. So this malware distribution is interesting for many different reasons. Well, one reason is that officially no one knows who's behind it. Actually, there's a police investigation going on around the world and there's been some police operations and there are suspects somewhere. But that's not the important aspect. What happened in this case is the distribution model was using a worm-like propagation. So the malware was moving from one machine to another directly on the internet using a vulnerability that was actually published after a revelation of some tools that were developed by an agency somewhere in America. And it's okay. I can tell you a lot about why agencies in US, in Europe need tools and why that's necessary. The problem is the vulnerability was published in the end. And once the vulnerability is published, it is exploited. And it is exploited very quickly. In this case, it was exploited to distribute malware, such as a crypto locker. It could have been used to do spying and so on. And it could happen to a French agency. It could happen to a German agency and so on. So let's be modest. So what happened, and it's very different from what we used to have in the past few years, the malware was going from one machine to another. And in practice, it looks like they tested it on Thursday. Friday, they started spreading it. And Friday evening, it was all over the planet. That usually never happens. And those are the infections that were measured during the weekend. So Thursday, some tests. There are some traces of the tests. Friday, the actual launch of the spreading. And then it moved from one point in the world to the whole world. And you see victims in Russia, potentially China, Ukraine, France, Canada, US, and so on. So France was actually a big victim. The victims we had were people having a machine directly connected to the internet. And that's not very common. Usually people in France connect to the internet behind what we call an internet box. And you're not directly connected to the internet. And unless you put your machine on the DMZ, it cannot be attacked from the internet directly. It's not a proper firewall and so on, but it's some protection. In other countries, it's not always the case. People just plug in behind the modem and the ADSL modem. And that's why they're spreading in different regions. So the cases we had in France, it's people who are using those machines to collect surveillance camera information. And it's something we see more and more often. It's devices that you plug in somewhere that you configure quickly. You actually don't know what you're configuring. And it works because you can see what's going on on your smartphone. Hey, I can see the camera from my home. Everything is safe. The problem is your network is not safe anymore. That happens to companies. That happens to private people. Actually, one of the victims was a boulangerie. You know what a boulangerie is? A bakery, exactly. So a place where you can buy good stuff in the morning. So they had cameras to protect the store and actually they were directly connected to the internet. So those were Windows machines. But in other cases, they're Linux machines with basic busy box, for instance, or different types of setup that can be used. So actually the victims were not victim of much because the information that was encrypted was just videos of surveillance in most cases. But that was for WannaCry. Other attacks were more damageable. So that's an interesting evolution. Fast distribution. It's not on actual computers. It's on devices that are used to store web surveillance. Something you just plug in your home. We've seen also cases in Europe of actual TV sets that are bricked because of ransomware. So you can have a TV set with Android on it, with LG. I don't remember the name of the OS, et cetera. Well, if it's Android, there's Android malware and it can also attack the TV. And if you have a 2,000 Euro TV that just shows that sort of screen, it's not very useful anymore. So one message actually to a community like you is that security is really important. Systems that can be updated. Helping people that install systems to secure their environment to secure their systems is really important. If something is easy to set up, it needs to be easy to update, easy to secure. Otherwise it becomes dangerous. So that's one of the major messages for today. Thank you. We have time for a few questions. I'm writing the story of a post-it play in France. I know some stories about it. It's a part of the Holocaust investigation in France. So I might put that as a reference. You know what you have on your machine, right? So what happens on a tour relay is that it's not set up to collect any type of information. It's just set up to be a relay. So for law enforcement, it's not very interesting to see the computer. There's other strategies that can be developed to be able to identify suspects on tour networks. I'm not going to go into detail, but you've seen cases in the press of people who've been arrested. Their servers, their hidden servers have been seized. So law enforcement is working and is able to, in some cases, to identify the bad guys. So the bad guys is some of the people who are using your relay, but they're also using the internet. We're not going to seize the whole internet and so on. So that's the technical answer. Of course, there's nothing wrong with you running a tour relay. But it also means that a high level of the activity on tour from the point of view of countries like France is illegal activities. In other countries where it's not a democracy, it's used mostly to protect private conversations, not to be arrested by the police, who are actually going against people who express themselves. In France, what we see is that most of the activities on tour is around selling drugs, selling malware, etc. So you need to be aware that part of what is going on on tour is not for good reasons. But that's for you as a message, not for, yeah. And maybe in some cases, if you can help law enforcement, if you have information, then it's up to you. Maybe you should be able to share it. I know it's not on your tour server, but maybe you can see other types of information that can be helpful. Another question over there? So in your earlier slide, you said that you see less organized crime, and you see associations of newer people with too many crimes. So can you say more about that? Because that seems to not be what we see, for instance, in other parts of the world. So in Russia or other countries. Where should I? Actually, in other presentations, I have more examples, but even if you look at criminals from Russia, usually when groups are arrested that come from Eastern Europe, or Russia, Georgia, Ukraine, and so on, it's not more than four or five people that are identified. Some of them just know each other on the Internet, and some have met. But in many cases, it's isolated people. In some cases, it's really organized group. They even set up companies to do their illegal activities. And yes, in that case, they're very often hidden in the country where it's difficult to get cooperation from. So it exists. But the huge volume of the activity, for instance, from those countries at the east of Europe, it's people selling tools for others to use. They're not really managing botnets and so on. And there are some individual groups managing very large botnets or larger activities. But in many cases, they don't really know each other. It's not the typical definition of organized crime as we would have it in the past, like the mafia that we have in Europe, in Italy, or in France, and so on, with a big structure and a pyramid structure with a big boss at the top, and so on. So it's not typical criminal organizations. And thus, it makes it difficult for us to investigate because we have special tools for criminal organizations. We can investigate faster. We have access to tools like wiretaps, like undercover investigations, and so on. And in some cases, it's not available for us in cybercrime. That's the idea. Thanks. There's two parts of state cybercrime. People who are fighting like yourselves, and then there's people who are, let's say, doing intelligence work. I'm generating tools that exploit overdue, as you say, coming to use operating systems. Is there rooms in the EU or in France that you're trying to standardize where if one organization in a country is aware of the vulnerability that the population is exposed to, that there's a timeline for actually disclosing that responsibly to others that the general population will be put at risk? Is there anything like that? So there's no actual solution in place, but the debate is on the table, and it's the kind of debate we have with the European Commission at the moment on how we should deal with those. So the first answer is no, but yes, we're talking about it.