The Misuse of Computers: A Rogue's Gallery
One can argue the digital divide of 2010 and beyond is between those whose data has been stolen and those whose data will be stolen. Aren't global connectivity and ubiquitous computing grand?
- The Role of the WAN in Your Hybrid Cloud
- Securosis Analyst Report: Security and Privacy on the Encrypted Network
- Transforming Operations - Part 1: Managing Outsourced Development in Telecommunications
- Real results: Speeding quality application delivery with DevOps [in financial services]
The notion of using 'crime' and 'computer' in the same sentence is not new. What's different about computing today is that technology has extended the criminal's reach. Whereas the criminal of the 1960s had to penetrate the physical security of a data center, today's hackers can cooperate in international criminal enterprises that affect victims on several continents.The term 'hacker' once meant someone skilled at programming but today it's become a pejorative unless prefaced by 'white-hat'. When people penetrating systems became news, the media described them as hackers. When those early hackers were asked why they penetrated networks, they often described the achievement itself as being their reward. ("Why did you climb K2? Because it was there.") But a newer generation of hacker is the cyber-criminal who uses his expertise to steal, often while engaged in a criminal conspiracy.
This blog entry provides a back story for a larger topic: the misuse of computers. Web log readers often prefer information in smaller doses. Taking a look at some history of criminals exploiting computers is interesting in and of itself. Methods have changed over the decades but today's criminal is often seeking the same pot at the end of the rainbow as his counterpart 25 years - financial systems, often debit and credit card payment systems.
When Willy Sutton was asked why he robbed banks, his reply was "Because that's where the money is". Cyber-criminals have a similar mentality. It's more profitable to compromise systems that process millions than to steal from mom-and-pop businesses.
1970s One of the more spectacular thefts of the 1970s involved an insider; Stanley Mark Rifkin consulted for Security Pacific Bank. He pulled off a multimillion dollar bank robbery, the largest in US history at the time. What's more, while out on bail, he tried to victimize a second bank using the same technique. Rifkin gained access to the wire transfer room at Security Pacific Bank and learned the secret code used to authorize electronic funds transfers. How? The codes changed daily and that day's code was posted on the wall! With a phone call, Rifkin identified himself as 'Mike Hansen', an international employee of the bank, and ordered the transfer of funds using the 'secret' authorization code.
Rifkin transferred $10.2 million to an account he controlled. He wanted to purchase an untraceable commodity so he used an intermediary to buy 43,200 carats in diamonds for $8.2 million. It was the process of selling the diamonds that was Rifkin's undoing. One of the potential diamond buyers saw a news report about Rifkin and the bank theft. Rifkin was arrested and, while out on bail, he targeted Union Bank of Los Angeles with the same scheme. He was convicted of two counts of wire fraud and sentenced in 1979 to eight years in prison.
Debit and Credit Cards Credit card fraud has become a multimillion dollar criminal activity that has involved an international cast of characters. In just three widely-reported episodes, the damages totaled more than $300 million. The loses are from a combination of incompetence and criminal intent. The criminals have become more technically sophisticated in the past 20 years; they've graduated from altering cards and stealing thousands to hacking networks and databases to steal millions.
The misuse of computers for credit card fraud first became newsworthy decades ago. One reason is devices used to encode and read the magnetic stripe on credit cards were freely available as long ago as the 1980s. We used them 25 years ago for an access control system that read information from the magnetic stripe on ID badges.
1992 In February 1992, Danny Shafer of North Hollywood, California was arrested for fraud. Investigators seized computers, ATM cards and credit cards at the time of his arrest. Shafer was another example of using insider knowledge to penetrate a system. He used a modem and an access code to get cardholder information from TRW credit files.
In 1992, 19-year old Ali Mojaddam was the leader of a Los-Angeles area fraud ring. He was arrested in August 1992 after racking up $100,000 in bogus credit card charges. He'd used a card encoding device with his home computer. 25 of his accomplices were arrested for using altered credit cards. Mojaddam was sentenced to 40 days in County Jail
Visa International estimated that losses from encoding fraud jumped from $0 in 1989 to $39 million in 1991.
1999 Insiders are often a threat to computer or network security. Two of the criminal schemes that originated in 1999 involved nefarious insiders. One scheme that penetrated a credit processing firm involved U.S. Treasury Department employees whose criminal partner worked for the Department of Defense. Wanda McClain, Carolyn Deruso and Lelani Deruso were arrested for a scheme to steal $31,000 from Superior Bank Card Services of Woodland Hill, California. The women were sentenced in 2000 to a $31,256 fine and five years probation.
Broadway, London and Hollywood are important destinations for an acting career, just as Mecca is important to Muslims. Miami has apparently become a Mecca for aspiring credit-card fraudsters. An early case of credit-card fraud by criminals based in Miami was an operation that penetrated ten restaurant networks between 1999-2001. David Prouty and Nicole Conde were arrested and prosecuted for a credit card scheme that netted millions after stealing data about 39,000 credit card holders. At the time, that was the largest credit-card fraud scheme to be uncovered. The crooks acquired credit card information about people who held a Visa, Master Card or American Express card. They sold some of the data and also processed charges through a dummy corporation (Mobli Oli Adms, Inc.).
The damage to American Express alone was $7 million and estimates of the total damage ranged between $8 - $20 million. When defendant David Prouty was faced with having to make restitution of more than $5 million, his attorneys went to court with the argument that he was broke! Prouty was sentenced to 46 months in prison and Nicole Conde was sentenced to 20 months in prison.
The Prouty and Conde scheme involved capturing the information about card holders coded on a credit card's magnetic stripe. It's this information that's frequently the target of other fraudsters. Track 2 of the magnetic stripe contains the account number, cardholder name and expiration date.
Prouty was another example of an insider threat. He was an employee of Symbiont Software Group, a company in Miami that specialized in retail point-of-sale (POS) systems. Prouty and Conde were home-grown criminals; they had been classmates at Cutler Ridge Junior High School in South Miami. Prouty accessed cardholder information stored on the POS systems supplied by his employer.
American Express sued Symbiont Software Group and its president, David Schilling, claiming:
Symbiont gave Prouty access to confidential financial information stored on its systems, notwithstanding actual or constructive notice of Prouty's lack of fitness for employment.
Prouty and Conde were forerunners of other credit card fraudsters who exploited network and payment system flaws, including WiFi network vulnerabilities. There's a Miami connection to the largest credit-card fraud scheme to date, which also involved network vulnerabilities.
Next: The ShadowcrewMethods have changed over the decades but today's criminal is often seeking the same pot at the end of the rainbow as his counterpart 25 years - financial systems, often debit and credit card payment systems.