On a frigid afternoon in December 2004, veteran Edmonton Police Detectives Al Vonkeman and Bob Gauthier hustled to the Beverly Motel, a dingy, cinder-block establishment, where rooms rent by the hour. They were chasing down a tip that someone in Room 24 was using the phone to access a dial-up Internet account linked to an email folder brimming with stolen identity data.
As Vonkeman and Gauthier prepared to burst in, the door to Room 24 opened and out strolled Biggie, a garrulous methamphetamine addict and trafficker they’d arrested numerous times, followed closely by Socrates, a gaunt 20-year-old computer nerd. Both were sky high on ice—crystal methamphetamine—but gave the officers no trouble. Inside Room 24 the detectives found meth pipes, stolen credit cards, notebooks with handwritten notations about fraudulent transactions, and print-outs of stolen identity data. The distinctive sickly aroma of recently-smoked ice pervaded the air.
“They were just starting to set-up,” recalls Vonkeman.
Biggie and Socrates were preparing to play bit parts in an international money laundering scam made possible by the financial services industry stampede to exploit the Internet’s convenience and global reach. The little operation in the motel room may have looked like small potatoes. But Vonkeman and Gauthier would later discover that the pair worked in concert with a loose confederation of hackers and scammers based in the U.S., Quebec, Romania and Bulgaria. The Edmonton addicts, in fact, comprised a prototypical cell of street operatives helping to carry out the final, riskiest step of online scams—extracting cash from hijacked accounts.
The set-up in Room 24 was not an isolated example. The Internet is rife with chat rooms where drug addicts and street toughs forge partnerships with Third World hackers and fraudsters. This teeming, mostly unseen, world of Internet crime points up a cataclysmic shift all too quietly reverberating through Western society. Here’s the dirty little secret about the digital age we live in: no one is safe from data theft and online financial fraud.
No matter how careful and tech-savvy you are, no matter if you rarely use a computer, you are more likely than ever to have your credit or debit card numbers usurped, to have cash surreptitiously transferred out of one your financial accounts, or to have someone snatch up the proceeds of a loan obtained by piggybacking on your credit history. And once victimized, you will face more trouble than you might imagine trying to set things right.
What’s more, your chances of getting caught in this vicious cycle will be greater next month, next year and the year after. As Internet-based commerce and social networking inexorably expand, so will your chances of becoming the victim of a cyber crime. At first blush, it may seem like the Biggies and Socrateses of the world, and the profit-minded hackers and fraudsters they collaborate with, are primarily to blame.
But Zero Day Threat will make this provocative assertion: The real culprits are the stars of our financial and technology industries, corporations like Wells Fargo and Bank of America and the Big Three credit reporting agencies, Equifax, Trans Union and Experian, as well as tech giants Microsoft, Google and Apple.
These corporate stalwarts have leapt headlong into exploiting the Internet for profits, and, in doing so, created fresh criminal opportunities, which, for self-serving reasons, they proactively downplay to the public.
In tech security circles, one of the most feared phenomena is something called a “zero day threat.” It refers to a virus that begins to exploit systems through a security hole for which no patch exists. No patch exists because security professionals are unaware of the vulnerability.
In much the same sense, Internet crime looms as a zero day threat to our consumer-driven society. Most people are clueless about the true scope of their exposure to cyber crime. Most of us have little inkling that by simply possessing a Social Security number, we face a rising risk of becoming the victim of credit fraud. Few of us appreciate how each time we use online banking and shopping services, we put our personal and financial data into active play for cyber thieves.
Not surprisingly, the public outcry for a safer Internet has been muted. Many consumers and small businesses, seduced by the Internet’s convenience and influenced by slick advertising campaigns, naively believe online transactions are safe as long as they use a firewall, keep their anti-virus software updated and follow security tips.
Absolutely not so.
“What banks don’t tell you is how easy it is to bypass those protections, and how prolific the threat is because then you wouldn’t do online banking,” says Peter Vogt, a board member of Information Systems Security Association, an international group of tech security professionals.
Financial fraud has been around as long as checking accounts and credit cards, to be sure. However, the drive by commercial corporations to hastily transform the Internet into a secure transactions network has blasted open virgin criminal frontiers. That’s because the Internet, a system originally assembled by military strategists and academics as an open, anonymous communications channel, was never intended to serve that purpose.
“In the past, everything was much more traceable,” says banking analyst Avivah Litan, of the Gartner research firm. “Now you can open 10,000 (bogus) accounts in the time it used to take to open one, all in a faceless Internet.”
With Internet-enabled crime becoming ever more stealthy and pervasive, cyber crooks on the cutting edge require one thing most of all: identity data, particularly account user names and passwords, credit and debit card numbers, PINs and CVVs, and especially Social Security numbers.
So a cottage industry of specialists has sprung up to supply a rapidly swelling pool of stolen personal and account data through multiple channels. In the interconnected world of the Internet this puts nearly everyone at risk. Even consumers who rarely use computers are fair game, since their profiles are being sucked into the stolen ID pool along with everyone else.
And because our financial systems are automated and skewed toward issuing revolving credit in less time than it takes to drink a cup of coffee, credit fraud scams are spiking. Anyone with a useable credit rating is at risk.
The final step in carrying out a cyber crime invariably involves getting ill-gotten cash or goods into the hands of the criminals. And in this endeavor, criminals are using the Internet like never before to form mutually beneficial partnerships. In communities across the USA and Canada, cyber crooks are increasingly hooking up with highly-motivated meth addicts, like Biggie and Socrates, who are already practiced at petty theft and confidence schemes.
Now that cyber crime has become a fast-flowing river, generating more than one hundred billion dollars a year in illicit profits worldwide, small timers like Biggie and Socrates are being drawn to its banks and have begun splashing in the shallows like never before. Yet they are sipping comparatively little. Operating out in the deeper running waters are well-financed, very professional organized crime groups based in Russia, Eastern Europe, Brazil and very likely in the U.S., as well.
While the small time criminals draw an inordinate amount of attention from law enforcement, organized cyber crime gangs are becoming ever more entrenched. These heavyweights increasingly form partnerships to systematically probe for novel ways to harvest data and put stolen data to work amassing illicit profits.
Organized cyber rings share much in common with terrorists cells. Both are designed to resist penetration. Information is passed along on a need to know basis. Cells operate as much as possible as self-contained units. That way if anyone gets arrested or any cell gets knocked out of commission, the damage to the overall organization is limited.
The outrageous theft of records of 94 million credit card transactions from giant retailer TJX, parent of 2,500 TJ Maxx and Marshall’s stores, is a stunning example of the efficiency and resiliency of cell-structured cyber crime. The cell of well-prepared hackers quite obviously were part of a larger, deep-pocketed organization. The stolen data flowed seamlessly to a matrix of partner cells – distributors, wholesalers, counterfeiters, forgers and money launderers — in several states and nations.
One Miami-based cell of money-launderers, reporting to a co-ordinator named El Flaco, the Skinny One, was supplied with finely-made counterfeit credit cards bearing Visa account numbers stolen from TJX. Led by a charismatic 18-year-old named Irving Escobar, aka The Venezuelan, the Miami cell proceeded to use counterfeited credit cards embedded with TJX data to haul in $1 million worth of Wal-Mart gift cards from all across Florida. The bust up of the Escobar gang of 10 did almost nothing to disturb the wider matrix of cells it was part of.
* * *
Convenience, as much as anything, defines Western culture. For many of us it has become unthinkable to go anywhere without a cell phone and unnerving to be more than a few minutes removed from access to our email Inbox. In this digital age, the notions of getting caught short of cash or forgetting to replenish your checkbook before leaving home have become quaint anachronisms.
We live in a time where you can complete a credit or debit card transaction in a retail establishment, on the phone or on the World Wide Web, in less time than it would take to break a $100 bill or clear a personal check.
Yet with greater convenience comes rising risk. It turns out that the amazingly swift credit-issuing and payments system we’ve come to rely on is rife with paper-thin membranes. The financial industry – banks, credit card companies, credit bureaus and data aggregators – designed it that way. A pliable system, after all, is endlessly extendable.
With such a system, convenience often trumps security, and that was fine as long as criminal exploitation could be managed at an acceptable level, which has been the case for most of the past five decades.
But a number of variables changed drastically as the last millennium drew to a close. Digital technology flourished and the Internet Age took off. Eager to exploit the Internet’s convenience, merchants, media companies, tech companies and the financial industry stampeded into e-commerce whole hog.
What no one saw coming was the extent to which enterprising hackers and fraudsters, ranging from video-game addled adolescents to well-funded Russian crime gangs, would follow suit and swarm e-commerce, as well. Since 2000, the systematic harvesting of personal and financial data has accelerated to an astounding level.
Meanwhile, financial fraud scams that make clever use of stolen identity data have mushroomed in scope and variety, playing off the many and varied commercial transactions that can be executed anonymously from any Internet-connected PC any where in the world, simply by typing in the correct username and password.
More recently, cyber spies have joined the party, probing the same soft membranes, hacking into government and corporate data bases. These elite database hackers stealthily roam private intranets, scooping up large caches of personal and financial data and hunting down military and trade secrets.
The authors had little inkling of this pervasive threat in the summer of 2003 when each was filing separate news reports for USA Today on spam and PC viruses, respectively. The mainstream press at the time certainly reported on spam and viruses as mutually exclusive topics. The genesis of this book began when the reporters teamed up that summer to look into what commonalities there might be, if any, between spam and virus attacks.A working premise soon began to gel around examining the notion that the cyber crime underground, in fact, operates according to the same business principals as any other capitalist market. But as research progressed, myriad complexities surfaced. We confirmed that spammers, virus writers, data harvesters and financial scammers indeed acted according to the principals of supply, demand and capitalistic profits.
But we also came to see how cyber crooks actually play a somewhat limited role in that they were merely opportunists slipping into doors, windows, closets and vaults left ajar in the rush to commercialize the Internet. We discovered there were much bigger drivers for the current state of security and privacy of sensitive data, and those drivers had more to do with the business practices and marketing strategies of the financial services and technology industries.
The stories you will find in Zero Day Threat contain many astounding revelations. They have been assembled with the intent of helping foster an improved understanding among the public at large about the intricacies of keeping personal data secure and private in the Internet age.
Each chapter in the book is written in three recurring sections—exploiters, enablers and expediters – that progress in parallel through the book. The “exploiters” sections take the reader deep into the world of drug addicts, scam artists and crime lords who carry out the gritty aspects of data theft and financial fraud. The “enablers” sections guide readers through the history and current practices of credit card companies, banks, credit bureaus and data brokers. And the “expediters” sections recount the role of technologists – the good guys and the bad guys, from Microsoft Chairman Bill Gates to a rogues gallery of virus writers and data base hackers continually probing tech systems for fresh flaws. Additionally, the stories of ordinary citizens who have experienced data theft and financial fraud are interspersed throughout.
The authors’ intent is not so much to alarm as it is to illuminate the underlying drivers at work exposing all of us to a perpetual zero-day threat, in terms of the imminent risks of becoming a victim of data theft and identity fraud. In doing so, it is our sincere hope that readers come away better equipped to deal with security and privacy issues likely to confront all of us to one degree or another. This book is a work of journalism. All characters and events are real, though some pseudonyms are used for the personal safety of the sources.
-Byron Acohido, Jon Swartz. July 2007