The Art of the Steal
It got worse. There was only one photo, and it wasn’t that great, so most people abandoned beavisbutthead pretty quickly. But leaving the site didn’t disconnect the call to Moldova. Even when you signed off the Internet and went on to write some poetry in your word processing program, your modem was still talking to Moldova. The hijacking of your modem call didn’t end until you shut off your computer, which could have been hours later. If you left it on all night, you were in for a really rude surprise. Some people found charges as high as three thousand dollars on their phone bill. In just six weeks, the scam attracted 800,000 phone minutes to Moldova. Never was the country so popular.
WHAT TO DO
There are plenty of tools designed to thwart Trojan Horses, but it’s a constant battle against criminal ingenuity. Anti-Trojan Horse programs and anti-virus software are widely available, but they need to be updated regularly if they’re going to succeed against the latest Trojan Horses and viruses. And you need to use some common sense. Don’t download attachments from people you don’t know, and don’t download software off the Internet unless you’re sure of the site that’s offering it. If you download a program from a website you’re unfamiliar with, that’s about the same as ordering your prescription drugs from Nigeria. You need to know the source and content of every file you download. Even if the file says it comes from a friend, be doubly sure before you download an attachment.
THE HIDDEN AGENDA
Criminals think differently than most people. To avoid being scammed, you have to start thinking the way a criminal does. For instance, I visited a company while it was going through the frantic preparations for the Y2K rollover, when everyone feared computers might misconstrue dates after January 1, 2000. Everywhere I looked, programmers were scooting around the premises, fixing computer code.
I asked the executives, “Who are you using to prepare your computers?”
“Oh, these guys from India,” they said. “They’re really sharp. And they’re cheap.”
“Really?” I’d said. “Did you check out their backgrounds? Did you have them bonded? How do you know you can trust them?”
They looked at me and their jaws dropped. They didn’t know if they could trust them.
Their thinking was, these guys know computers and they’re inexpensive, as were a lot of other off-shore firms from India, Russia, and Taiwan that were fixing Y2K problems.
But I was thinking, this is a golden opportunity for cyberthieves. When else have so many computers been opened up and touched by strange hands, with the blessings of their owners? I knew that any dishonest programmer could easily implant a so-called “back door” or “trap door,” a hidden entryway for him to get into the system whenever he wanted and steal data or funds. I have no doubt that many trap doors were part of the Y2K packages that companies got such a great deal on. Whenever you allow programmers to work on your computer system, for whatever reason, look into their background so you know who they are. A bank doesn’t allow just anyone to fix the locks to their vault. The same thinking should apply to your computer.
GOING, GOING, GONE
The number one source of crime on the Internet is online auctions, in large part because so many people use them and they’re such perfect settings for deceit. The FBI gets hundreds of complaints a week about them. There are stories of fraudulent paintings and “rare” Barbie dolls that are not so rare, of nonexistent kidneys sold for transplants. There are auction sites that sell suspect dinosaur fossils and pieces of meteorites. Sometimes the con artists use established auction sites to run their cons. Often, though, they set up their own auction sites and advertise expensive items like Cartier watches and personal computers that a lot of consumers would be interested in. They ask victims to send money for the goods and then deliver nothing, or a counterfeit version of what they wanted. And it may be months before consumers realize what they got was counterfeit. Once enough money comes in, the sites vanish.
One of the most common auction scams is when a con artist maintains he bought a nonrefundable but transferable airplane ticket. Unfortunately, something came up and he no longer can use it. It’s always for a popular destination and a time of year when plenty of people would be interested. He’s willing to sacrifice it at a loss; he just doesn’t want to have to eat the entire amount. The winner gets rewarded with a counterfeit ticket or nothing at all. Frequent flier mileage also turns up a lot on auction sites. The con artist claims his miles are good for a ticket anywhere in the world. The bidder sends the money and gets a letter saying, “Unfortunately, I just learned that I can’t transfer the miles. Don’t worry, I’ll send you a refund.” People have been waiting years for their refunds.
Every Christmas sees a predictable surge in auction fraud. There’s always a hot toy that every child must have, but there’s insufficient supply. So, con artists advertise on auction sites that they’ve got the toy. The Sony Playstation2 was the toy of Christmas 2000. Many people ordered them from phony auction sites and got nothing but an encounter with fraud. The address for the business that operated one site offering Playstations was a derelict house in Canada. The toll-free number consumers were invited to call was in California. The fax number to which they were told to send copies of their credit calls to speed their order was in the state of Washington. The money the company collected was wired to a bank in Florida. Does that sound like any business you want to deal with?
If you’re going to buy merchandise from online auctions, and many people swear by them, research the seller carefully. Look for the person on other websites. Some auctions allow members to furnish feedback on their experiences with different sellers. Even the feedback option is susceptible to fraud, however, as unsavory sellers will post glowing reports on themselves. Some auction sites like eBay provide limited insurance. Probably the best type of auction to get involved in is one that offers an escrow service, where you pay a small fee and the money is held until your goods have been received.
THE MYTH OF SECURITY
Just about any type of scam gets a boost from the Internet, but the web has really opened up a new world of opportunity for credit card thieves. As I so rudely found out, whenever you use your card to buy something online, you’re putting your account at risk. Crooks just love to log on to steal your card number.
One of their primary hacking tactics is “sniffing.” When you type something on the Internet, it doesn’t go straight to the website you’re visiting. Rather, the data gets divided up into what are known as packets. These packets get routed from computer to computer, until they all coalesce at the intended web destination. Criminals will plant “sniffers” on website computers, most commonly those hosting shopping sites, and the sniffers intercept the packets, copy down the information, and then allow the packets to proceed to the website. Packets destined for shopping sites naturally contain loads of credit card numbers, and they’re the sweetest smell of all.
This data then gets relayed to the computer of the criminals, where they sort it out and use it for ill-gotten gains. The whole process is essentially the Internet version of wiretapping.
But the chief way credit cards are stolen with computers is by breaking into the storage computers of sizable e-commerce companies and copying the extensive inventory of credit card numbers housed in their data bases. In late 1999, in the weeks leading up to Christmas, a rather brazen intruder helped himself to an early present when he broke into the computers of CD Universe, an online music store, and swiped more than three hundred thousand customer credit card numbers on file. Identifying himself as Maxim—he told the reporters he communicated with that he was sixteen and from Russia—he e-mailed CD Universe and demanded one hundred thousand dollars. If the website didn’t pay, he threatened to divulge the card numbers on the Internet. If he was paid, he said he would fix CD Universe’s security bugs, destroy the stolen card files, and forget about their store forever.
Well, CD Universe officials refused to respond to blackmail. On Christmas Day, Maxim mad
e good on his threat. He set up a website that he called Maxus Credit Card Pipeline and began listing some of the stolen credit card numbers, adding new numbers on a daily basis. With a click of one’s mouse, anyone who logged onto the site could pick up a credit card number, name, and address.
The website operated for two weeks before some security experts found out about it, and alerted the Internet system that was carrying the site without its knowledge. It promptly shut it down. By that point, however, a traffic counter suggested that a few thousand visitors had downloaded more than 25,000 credit card numbers. Maxim also claimed that he had used some of the cards himself to raise some money.
The e-mail trail on the hacker suggested that he was indeed somewhere in Eastern Europe, making it difficult for American law enforcement to touch him.
Not long ago, someone broke into Western Union’s website and accessed 23,000 credit card numbers and expiration dates. Western Union had to call all 23,000 customers and tell them to cancel their credit cards. These were people who, a week before, had innocently transferred money through Western Union using their cards. You’d think a company the magnitude of Western Union would have a secure website, but it didn’t.
An editor at MSNBC, hearing about hackers wreaking havoc day after day, said that if it’s so easy to break into websites, why can’t my reporters do it? So he told two of his reporters to go home and get online and see if they could download credit card names, numbers, and expiration dates. He assumed it would take a couple of days. They were back within a few hours with 2500 credit card accounts.
The problem is, too many e-commerce companies don’t care if credit cards get stolen over their site, because it’s generally the credit card companies’ problem, and it costs staggering amounts to ensure security. If you’re Bank of America or Citicorp, it’s worthwhile to spend $50 million or $100 million to secure your site. But if you and I are selling outdoor lightbulbs or cheese, we’re not going to spend $50 million. Where would we get it?
WHAT’S BEING DONE
The Internet is so widely considered to be lacking in security, that companies have been forced to conceive of new ways to pay online. Late in 2000, American Express announced what it called a “private payments” service for credit card charges on the Internet. In effect, it’s a disposable credit card. We’ve got disposable cameras and disposable contact lenses, so why not a disposable credit card? The way it works is that a customer registers on American Express’s website, entering a name, password, and account number. Then the customer gets a private payment number that can be used once and only once. When you make a purchase online, you use that number rather than your regular credit card. As soon as the transaction clears, the number is worthless to anyone who gets hold of it. So if you want to send some flowers to Mom, you punch in the number, you’ve got the flowers, and the credit card number is immediately void.
American Express also offers a Blue card. If you order one, the company supplies you with a Smart-Card reader that gets attached to your home computer. It works pretty much the same way that a card reader does at the gas station or department store. The card has to be swiped through the reader, which authenticates purchases only after the correct PIN number is typed in.
Visa has been testing an online verification system of its own. One version goes like this: when you make a purchase over the Internet at a retailer’s website, a tiny window appears on the screen that asks for a password. When you type it in, that password is transmitted not to the store’s site, but to the bank that issued the card. This makes it harder for someone who has a stolen card to use it, because without that password being verified by the bank, the transaction won’t be processed.
In my view, these one-time use cards for Internet buying are a good thing. We need them, because there’s no faith in the security of online transactions.
If you’re going to give your credit card number over the Internet, at least make sure that the site uses S.S.L., or secure sockets layer, encryption technology. The way to tell is if the screen shows either a closed lock or an unbroken key icon. Another sign is if the merchant’s web address shifts from “http” to “https” when it processes a transaction. This is far from a secure site, but it’s better than a site that doesn’t have encryption technology.
WHAT TO DO
Computer crime can be so much harder to track down than traditional criminal activity, and I find that you need to approach it differently. As soon as fraud is suspected, it’s important to call in an expert before the evidence can be hidden. That means don’t let anyone touch the computer system. What the security experts will do is undertake a forensic investigation of a computer, using a technique known as imaging, where experts take a copy of the contents so they can be studied without disturbing the original.
Sophisticated crackers know how to shred electronic files and create self-destructing e-mail, but forensic experts have their own ways of finding data, no matter how many times it’s been deleted. There are file undeleting programs that often will catch rookie thieves, more elaborate tools like hex editors that enable you to view even deleted data, and magnetic sensors and electron microscopes that seize on the fact that every file deposits magnetic traces on the disk. Measuring changes in magnetic fields allows experts to reconstruct deleted files or overwritten areas.
Security experts also use things like a “honey pot” or “goat file,” which is a collection of phony files meant to lure a hacker. If he bites and tries to steal them, the system is alerted so he can be traced.
As I’ve mentioned, things you yourself can do to prevent electronic theft include using encryption tools, firewalls, virus scanners, Trojan Horse cleaners, and intrusion detection programs. There are e-mail filters to block messages from known spammers. You can also subscribe to an e-mail filtering service that will scan e-mail for spam because they’re endlessly tricky—sometimes their ruse is even an invitation: “If you don’t want future mailings from us, reply to this address.” You think they’re being considerate. They’re not. If they get a reply, the scammers know you’re a live address and they’ll sell it to endless other scam artists. But spammers keep creating new addresses, so it’s a constant battle. And there are so-called Tiger Teams, computer experts, some of them reformed hackers, who come in and try to penetrate your system and then suggest ways to secure it. Just keep in mind that there is no such thing as an invincible system.
The FBI says if it had one tip to share to help catch cyberthieves, it would be to make certain your computer’s internal clock is synchronized to national standards, because that helps agents trace a thief’s steps.
Employees also need to do a better job of protecting their passwords into their systems. A common scam is for hackers to call employees, identify themselves as part of the company’s technology staff, and say they’re doing a routine check of passwords. Needless to say, if you receive one of these calls, always check with your company before divulging information. You need to choose a difficult password, a mix of letters and numbers, and you ought to change it every six months. Hackers have their own password-cracking software that tests words from lists of commonly used passwords—ordinary names, cartoon characters, rock bands. You wouldn’t believe how many people, for simplicity’s sake, use “password” as their password. Many others unimaginatively use their first name, or actually use none at all but have the “enter” key be their password.
Above all, consumers have to be smarter. When you go online, blind faith doesn’t work. Know who you’re dealing with. Don’t be deceived by some highly-professional looking website. That doesn’t mean it’s legitimate. And no matter how you pay for something, you need to keep records of purchases, because they’re your best defense against fraud.
It’s obvious to me that electronic theft will only get worse, and cyberthieves will become even craftier at stealing and covering their tracks. There’s a familiar saying in the computer underground: if you’re a good hacker, everyone knows your name, but if y
ou’re a great hacker, no one knows who you are. A lot of criminals haven’t even moved online yet, and you can bet they will. Electronic commerce is still growing at a dizzying pace. So as criminals see more opportunity, they’ll be logging on looking for their cut.
9
[WHEN THE
LABEL LIES]
It’s hard to know what you’re getting when you buy something today. And I mean anything. Just ask men in India. Indians, particularly those with money, have a fondness for buying foreign goods. They figure the quality far exceeds domestic brands. And so it’s no surprise that there’s been good business in brand-name, supposedly high-quality prophylactics “imported” from the United States and Singapore. Wealthier Indians don’t mind paying the substantial premiums they command.
The trouble is, many of the condoms are actually imported from no farther away than Calcutta and Bombay. They carry foreign labels and colorful packaging, but they’re decidedly inferior counterfeits, far worse than the cheapest Indian brands. Laboratory tests have concluded that 90 percent of them leak or are of such poor quality that they give dubious protection. Thousands of men have bought the fraudulent condoms, possibly bringing on unwanted pregnancies and exposing themselves to HIV.
But don’t think that counterfeit birth control products are an entirely male issue. Fakery is not a sexist industry. In Brazil, counterfeit Microvlar, the country’s most popular birth control pill, has been actively marketed by thieves. The well-disguised fakes, made out of flour rather than active ingredients, have resulted in a number of women becoming pregnant and/or developing unusual bleeding.
IS IT REAL OR IS IT . . . ?
When you buy something at the mall, the supermarket, or the corner deli today, you really don’t know if you’re getting what you paid for. Is it real or is it fake? Often the experts themselves don’t know. Fake products are hitting store shelves by the bushel, tripling in magnitude in the last decade and costing American companies on the order of $350 billion a year. It’s become a sweet business for scam artists. Dozens of counterfeit wholesalers are said to work in New York alone, with some of them making as much as $3 million a year.