The Art of the Steal
The key to mass deployment of these systems is that they work no matter what contingencies arise. For instance, face recognition systems get foiled when a man grows a beard or a woman dyes her hair. If someone puts on a significant amount of weight and his face gets pudgier, that alone will throw off the machine. But the iris systems work, even if a customer wears glasses or contact lenses. They work at night and in dim lighting. Face recognition systems are thwarted by twins, not that theft by one twin against another is one of the world’s major crime problems, but even twins have unique irises.
Fingerprints can change from injury or deliberate alteration. But not irises. From the time someone is about eighteen months old until a few minutes after they die, their iris is unchanging. For the purposes of an ATM machine, that’s plenty of time. And you can’t fool the machine by holding aloft a picture of the cardholder. The first thing the camera checks is whether the eye is pulsating, and thus alive. If the camera fails to detect blood flowing through the eye, then it concludes that it is looking at a picture or at someone who’s dead.
It’s fascinating technology, but I’m personally against these devices. I just think the whole idea is ridiculous. We’ve given up enough privacy in this modern age, so why should we be asked to give up anymore? The bank has enough information on its customers. Now it’s saying that it wants them to give up their irises? For what? Something they’re not even liable for. The most that crooks can normally take from one account is a couple of hundred dollars, and it’s the bank’s problem if it happens. So my feeling is, why insult your customer?
8
[THE CYBERTHIEF]
Not long ago, I was faced with a real dilemma. One of my sons had a birthday coming up, and he wanted a guitar he’d seen on eBay. That particular guitar, and no other. I know that eBay is part of the pulse of daily life for many consumers, who regularly log onto the auction site to buy everything from car tires to knight’s helmets. But it isn’t part of my life. The Internet frightens me. I think it’s a wondrous invention and there are many things I love about it, but it unnerves me because of all the possibilities for fraud. A firm rule of mine is never to buy anything over the Internet with a credit card, and I tell my wife and kids the same thing. I just don’t trust the feeble amount of security that’s been incorporated into most websites.
But now there was this guitar and my son’s birthday. So I logged onto eBay and found the guitar. In order to purchase it, I had to go to a feature called Pay Pal. It required that I enter my credit card number. Given my convictions, I was very reluctant to do that, but I was even more reluctant to disappoint my son. So I went through the drill and typed in my MasterCard number and expiration date. Just as I was about to complete the transaction, I got panicky and had a change of heart. I pressed cancel. I’m not going to do this, I told myself. It violates all my principles. I signed off, unaware of my impending fate.
Fortunately, eBay tells you how to contact the owner of any item offered on its website, and so I sent an e-mail to the guy who was selling the guitar and asked him to call me. When he did, I talked to him for a bit and felt comfortable that he was legitimate. I told him I’d like to buy the guitar, but I wasn’t going to give out my credit card on the Internet. I said I’d send him a cashier’s check for the amount, and give him my Federal Express number so he could ship it to me. He agreed, I got the guitar, and my son was delighted.
Soon after, I received my MasterCard bill in the mail, and there was a two hundred fifty dollar charge from Pay Pal. I called and said that I hadn’t bought anything. They told me to write a letter contesting it and they’d remove the charge. Then a package arrived at my house addressed to me. I opened it up and it was some ski pants. I hadn’t ordered any ski pants. I didn’t even recognize the company.
I called them up and was told it was an Internet purchase made on my MasterCard. I explained that I would never buy anything over the Internet. Obviously, someone had gotten hold of my credit card number, and the only way he could have done it was through that Pay Pal entry. Okay, the guy said, just put the pants in the box and send them back and I’d get a credit. I asked him why someone would use my credit card to buy something and then ship it to me? What probably happened, he said, was it was someone in my area. Most people are at work when packages arrive, and they get left on the porch. Thieves will order them, find out when they’re to be delivered, and then steal them off the porch. Another possibility was the thief tried to have it delivered to a different address, but as a precaution, this company only shipped merchandise to the billing address on the card. Not wanting to arouse suspicion, the thief probably allowed it to be sent anyway. What did he care? He wasn’t paying for it.
Once I got off the phone with the ski pants company, I called MasterCard and alerted them to the shenanigans with my card. The representative checked my account activity. As of that moment, it showed purchases of $3,600, none of which I had made. They were all Internet purchases, since there was no need for a signature or anything. My card was canceled, and I had to send a notarized affidavit attesting that those were not my charges.
So here I was, one more victim of Internet fraud. The sole time in my life that I used the Internet to attempt to buy something, and just for a minute, I got scammed. I never even completed the transaction, and yet my card number was preserved on the site and someone got hold of it. If this happened to me, who’s constantly on the alert for swindles, it shows you how vulnerable computers have made us.
THE PORTABLE THIEF
There’s no question about it: the Internet is a criminal’s dream come true. Forty million people use the Internet every day, and to a thief, that translates into the ability to cheat an immense number of people all at the same time. Estimates are that more than 5 percent of Internet transactions are fraudulent, compared to less than half of one percent for brick-and-mortar retailers. Every day, thieves are sitting before their terminals, trying to break into somebody’s system, working on that way to bypass security.
With the Internet, a thief doesn’t need to come to your business or your home to steal from you. He does it by computer. A con man normally had only the ability to reach people through the medium of himself, and so he could only cheat a limited amount of people in a small area. Back in my days pushing bad paper, I was constantly on the move, and I had to be. Part of the reason was to evade capture, but also I needed to find new victims I hadn’t yet fleeced. A con man today never has to board a plane. Using the Internet, he can deceive people all over the world, without having to talk to them. He doesn’t even have to get dressed.
When it comes to fraud, appearance used to matter. When I started doing check forging, I was sixteen, but I was over six-feet tall. I looked like an adult, and I was able to act the part. If I’d been a bashful, pimply-faced teenager, there would have been no way I could have gotten away with what I did. But with electronic fraud, you don’t know who the criminal is. You can’t see him or her, because the person is sheltered by the technology’s anonymity. You have literally opened yourself up to millions of criminals, and not only domestic ones. When you’re on the Internet, you don’t know if you’re dealing with someone from Nigeria, Syria, Hong Kong, Malaysia, or Buffalo. And have you ever tried to get a refund from another continent? You won’t enjoy the experience.
Computer crime, or cybercrime as it’s called, is one of the newer forms of fraud, but it’s a tremendous growth industry. One of the frightening things about fraud with computers is the speed at which it happens. When people use the Internet, they talk of going on “Internet time,” meaning that everything transpires at warp speed. Well, criminals like Internet time too. A well-executed bank robbery, the physical stealing of the money, is going to take a half-hour, easily. With an electronic heist, we’re talking a couple of milliseconds.
So much about computers make me uncomfortable, because they’re the doorway to limitless amounts of money. Money is continually transferred electronically between banks and financial in
stitutions, trillions of dollars a day flying around the world as electronic pulses. If a hacker slips inside a bank’s computer, he can commit bank robbery of unprecedented proportions, with a mouse rather than a gun. Here’s a statistic that shocks even me: only 6 percent of all websites are considered secure by experts. That means that 94 percent aren’t. The 6 percent are almost all big financial institutions, because they’re the only ones willing and able to spend the money to do it. It can cost at least $50 million for a bank to secure a website. Every day, ten thousand new websites are added, 94 percent of which are not secure. Despite this, most of us fail to acknowledge the fact that the computer is like a weapon. For the purposes of robbing someone, it’s the same as a gun. The only difference is semantics. With a gun, it’s called armed robbery. With a computer, it’s called white-collar crime.
THEY SHOULD FRISK FOR A MOUSE
Computers have become such a potent weapon that in 1999, the U.S. Parole Commission made some telling changes in its rules. High-risk parolees can now be restricted from using computers and the Internet without written approval. In other words, don’t just keep guns out of the hands of repeat offenders; keep these guys away from the computers.
And for good reason. In 1994, Vladimir Levin, a thirty-year-old Russian payroll programmer with thick glasses, used a rather primitive computer to steal $10 million from Citicorp’s wealthier customers. With the help of some confederates, he managed to transfer the money into accounts with phony names scattered among obscure banks in the Middle East, Europe, and elsewhere. Then accomplices would go in and withdraw the sums. A stool pigeon ultimately turned him in, or he might never have been caught. He was arrested when he left Russia to go to London for a computer exhibition. Levin was generally considered to be the first online bank robber, and his theft was the largest computer crime on record.
As Levin’s crime illustrates, a big difference with electronic fraud is the quantities involved. With regular fraud, the amounts are often fairly small and only add up over time. With electronic fraud, we’re often talking about losses of millions of dollars in each caper. The FBI says that total losses from computer-related crime exceeded $250 million in 2000, double what they were in 1999, and since so much of it is under-reported, it could be in the billions.
Unfortunately, law enforcement has not kept pace in its training of agents in how to combat computer crime. One recent study of cybercrime found that only a tiny amount of the federal government’s law enforcement budget is spent on computer-crime training and staffing. Many police officers don’t even have e-mail.
Incidentally, outright theft of computers—the actual machines themselves—is itself a big problem. Security experts say computer theft is now second only to auto theft, and it’s much easier getting your car back than your computer.
HACKERS AND CRACKERS
If you have any doubt about the seriousness of electronic theft, think about this: six out of ten American companies and government agencies have been hacked so far, including the FBI, the CIA, the Secret Service, and the White House.
A twenty-year-old computer hacker confessed to breaking into two computers of the National Aeronautics and Space Administration (NASA) that were normally used to design satellites and for e-mail and internal functions. The hacker installed a program onto the computers that allowed him to host a chat room. On his chat room, he advised people to visit a particular pornographic website, and he earned eighteen cents for each visit someone made to it. Before long, he was making three hundred dollars to four hundred dollars a week.
A sixteen-year-old Miami boy broke into computers of the Defense Department and NASA, downloaded software, intercepted messages, stole data, and caused some of the computers to be shut down for three weeks. He repeatedly penetrated computers that monitor threats to the United States from nuclear, biological, and chemical weapons, as well as traditional arms. Too bad they didn’t monitor attacks from sixteen-year-old hackers. Fortunately, the government said none of the affected computers was related to the command and control system, so the kid wasn’t on the brink of launching a rocket or knocking a satellite out of orbit, but I hear these things and have to wonder, what’s next?
A few years ago, a band of German hackers wrote their own Microsoft ActiveX control. The control designed by the Germans made a slight adjustment in the popular personal-finance program Quicken. Whenever the user paid a bill online using Quicken, he would also make a small contribution to the account of the hackers. Stealing money a small slice at a time like this is known as a “salami” attack, and a computer can make a lot of salami.
There’s so much invasion of computers that distinct subcultures have emerged. The term “hacker” is now most commonly used to refer to teenagers who break into computer systems for kicks, the way kids of earlier generations smashed eggs on windshields or did graffiti. It gets them bragging rights among their peers. To them, bringing down the computer network of the Joint Chiefs of Staff is the same as playing Donkey Kong. After a sixteen-year-old boy was caught prowling in government and business computer systems, he explained, “All the girls thought it was cool.”
Full-fledged thieves who invade computers as a profession are referred to as “crackers.” There’s quite a robust underground market in cracking. Adept crackers can command ten thousand dollars and up for breaking into a corporate website, and just as baseball players arrange bonuses if they hit a certain number of home runs or pitch so many innings, they merit bonuses for stealing trade secrets or doing damage to a competitor’s computer system.
THE PROGRAM THAT LAUNCHED
ONE THOUSAND SCAMS
We all learned how the Greeks won the Trojan War by concealing themselves inside a large hollow wooden horse that got them into the walled city of Troy. The simplest method crackers use today to invade a computer is a piece of software that operates by a similar deception—a Trojan Horse program.
Just like with the real Trojan Horse, a Trojan Horse program has two functions operating simultaneously, one that you see and one that you don’t. It does something overtly innocent like demonstrate a game, show a greeting card, or offer an mp3 song. But while that benign activity is going on, something insidious is happening. Basically, the criminal dupes you into running something whose exclusive purpose is to burrow its way into your computer without you knowing about it.
Trojan Horse programs take different forms, and you can find dozens of them offered free right on the Internet. One common scam works like this. The criminal sends you an ordinary e-mail. It’s easy enough to find out anyone’s e-mail address through a routine Internet search. The e-mail says, “Hey, how you doing? Want to see something cool?” and contains an attachment. The key is the attachment. When you open it, there might be a game demo or some little piece of entertainment. You watch it and have a few chuckles. But invisibly embedded in that demo is a Trojan Horse program known as a keystroke recorder, whose subcommands instruct the computer to record everything the user types on the keyboard. That information then gets sent to the computer of the criminal. He now knows your passwords and account numbers, and your credit is at his disposal. These programs were originally designed so employers and parents could check on what their employees and kids were up to, but like so many legitimate ideas, they’ve been put to alternative, malicious purposes by thieves.
The Trojan Horse could also carry a more elaborate desktop monitoring program that functions almost exactly like a surveillance camera. Now when you’re on line, the criminal views live on his computer everything that you type and see on your screen. He could be in Turkey, but it’s as if he were sitting beside you. If you log on to your bank account, entering your account number and your PIN, the thief in Turkey sees precisely what you’re doing. He can then log on to your account and have your bank send him a check that cleans out your savings. And you never even knew he was there.
A Trojan Horse can also deposit a remote access program that not only enables a crook to see what someone is doing,
but also lets him get into that person’s computer, fool with his files, and disrupt his system. The best known of these snooping devices is Back Orifice. It was devised by a hacker group called the Cult of the Dead Cow. The program’s name spoofs Microsoft’s Back Office software. Again, these programs have a legitimate purpose. The majority of companies have them so employees can work from home or while they’re traveling. Well, thieves like to telecommute, too.
One of the more ingenious and remarkable Trojan Horse scams was pulled a few years ago by three men on Long Island. They set up several voyeuristic websites named beavisbutthead.com, sexygirls.com, and ladult.com that advertised free “adult” pictures. Internet users who happened upon the sites in their Web surfing were instructed to download a viewer program that would allow them to see the sexy pictures, and a lot of men did just that. What did they have to lose? The pictures were free, weren’t they?
Unfortunately, however, the viewer that was to furnish the pornographic pictures turned out to be more than just a viewer. It also housed a Trojan Horse that commanded your computer to do a few other things. It shut down your volume control so you wouldn’t hear anything coming out of your speakers. Then it hung up your modem line and dialed a phone number in Moldova, a tiny nation you probably rarely called that was one of the former Soviet republics. With the speakers shut off, you couldn’t hear that scratchy telltale sound of a modem dialing a number. The call to Moldova was answered by a computer that reconnected you to the adult site and caused a photo of an unclothed girl to show up on your screen. While you were admiring her curves, you were paying big-time for a transatlantic call.