IMGCAP(1)]
The announcement in early August that U.S. grand juries had indicted 11 men for allegedly hacking into and stealing payment card data from the networks of several major merchants was a much-needed break for investigators trying to thwart payment card data theft.
Though only three of the indicted men were in custody at the time of the announcement, they represented quite a catch, charged with years of computer-network hacking and using and selling payment card data stolen from TJX Cos. Inc., BJ's Wholesale Club, OfficeMax, Boston Market, Forever 21, Barnes&Noble, Sports Authority and DSW Shoe Warehouse ("Card-Security Struggles Continues," September).
As with other Internet-based criminals, the vast majority of big-time card fraudsters go unpunished. Though the payments industry and law-enforcement agencies around the world have improved their investigation techniques and cooperation in recent years and, as a result, are infiltrating more Internet crime rings and catching more criminals, more collaboration and organizing are needed, experts tell Cards&Payments.
In May, U.S. Secret Service agents arrested Albert Gonzalez in Miami for his alleged collusion in hacking into a database for restaurant chain Dave & Buster's to steal card data in 2007. His is the biggest name associated with the August indictments.
"The Albert Gonzalez case was probably the most significant arrest when it comes to credit card breaches to date," says a Visa executive who asked not to be named. "We've seen now close to two years where the (U.S.) Secret Service has really stepped up their efforts internationally to work with law enforcement in other countries."
Joshua Peirez, chief payment system integrity officer for MasterCard Worldwide, agrees. "Law-enforcement agencies around the world are doing a better job of coordinating around these crimes, which makes our job easier."
Gonzalez allegedly made fraudulent purchases and cash withdrawals from Dave & Buster's card accounts and sold card data to others. Gonzalez had served as a hacker-turned-informant for the Secret Service since 2003. His assistance led to the arrests of 28 individuals in 2004 for their participation in Shadowcrew, a Web site where fraudsters bought and sold stolen credit and debit card data.
Though Gonzalez allegedly returned to crime himself, such relationships with insiders are necessary to crack big cases, according to Avivah Litan, a Gartner Group LLC analyst who studies merchant security. "You can't catch these fellas without a lot of undercover work, infiltrating and eavesdropping," she says.
Indeed, Turkish police arrested another of the men indicted, Maksym "Maksik" Ystremskiy of Ukraine, in July 2007 after American authorities found out he would be traveling there. And German authorities arrested Aleksandr "Jonny Hell" Suvorov, who also was tied to the Dave & Buster's data breach, while Suvorov was visiting from Estonia in March of this year. The U.S. is in extradition talks with both countries.
Litan says members of various U.S. law-enforcement agencies tell her there were some turf battles early on among the agencies charged with investigating the TJX case, as there are in other card-fraud cases.
Secret Service agents tell Cards&Payments there were no turf battles in the TJX case and that investigators from various U.S. agencies get along just fine. The Secret Service generally handles fraud related to counterfeiting, and therefore cloned cards.
But the same card-fraud cases can fall under the realm of the Federal Bureau of Investigation, which steps into hacking incidents, and the U.S. Postal Inspection Service, which takes on crimes involving cards and account information purposely sent to wrong addresses or crooks who send merchandise purchased with stolen or cloned cards through the mail.
When asked about the truth of the stereotype of turf battles among local and federal investigators, Greg Crabb, assistant inspector in charge of the cyber intelligence division of the U.S. Postal Inspection Service, says "I'll decline to comment on that one."
He adds that "on some occasions it can be confusing" as to which agency will take on which card-crime case or aspect of a case, but the Postal Inspection Service looks to the computer crime intellectual property section of the U.S. Department of Justice to coordinate such investigations. "They help us find out about cases we may not know another agency is even working on and can be very helpful in coordinating the case," Crabb says.
Besides working with law enforcement in other countries, the Secret Service since 1995 has sought to coordinate local law-enforcement and private-industry efforts to fight cyber crimes with chapters of its Electronic Crimes Task Force, now established in 24 U.S. cities. Secret Service agents in those cities organize quarterly meetings, usually with a guest speaker, which enables meet-and-greet sessions and information sharing.
"It's not unusual to have a couple hundred members come to a meeting," says Edwin Donovan, a Secret Service spokesperson.
Overcoming Mistrust
Such alliances between private industry and law enforcement are important to overcoming mistrust between the two entities, Litan says. "Certain law-enforcement officials are frustrated with the banks and card companies," she says. "They don't get the information up front. This was true at the state level, but it's also true at the federal level."
Bankers often complain that their cases do not always get adequate attention from law enforcement when they seek help. But law enforcement says it cannot take on every case, especially those involving relatively low losses in which the perpetrators are long gone or working from other countries.
Local law-enforcement agencies still occasionally go after small-time card thieves, says Ed Lowry, a Secret Service assistant special agent. But the Secret Service has shifted its focus to trying to work its way into communities of big-time "carders," or crooks who buy and sell massive quantities of card numbers and communicate with hackers through Internet chat rooms.
"To make an impact, you have to go after buyers and sellers," Lowry says. "The real problem behind this crime is the folks who have the technical expertise to mine or steal information in the first place."
Finding who those criminals are and where they reside is difficult, says Ken Jenkins, acting special agent in charge of the Secret Service's criminal investigation division. "Really, all you have is the computer that is doing the intrusion, and you have to work your way up to where this computer is," he says.
Forming and maintaining close relationships with law enforcement in other countries, particularly countries known as hotbeds of online theft and fraud, is essential to catching criminals, Lowry says. "Having agents on the ground (outside the U.S.) on a full-time basis is preferable but not always feasible," he says. "The Secret Service is aggressively pursuing partnerships around the world, and we have offices around the world."
Payments Industry Input
An important part of investigative cooperation is making sure police present for arrests gather key evidence from suspects, the Visa executive says. "It's more common for them to go to another country and be there to make sure to recover the computer equipment and hard drives they have in their possession," he says.
The growing number of law-enforcement units, private-industry investigators and public/private industry task forces dedicated to tracking cyber thieves also is helping generate more cooperation.
Perhaps the most well-funded public/private partnership is the Dedicated Cheque and Plastic Card Crime Unit of APACS, a United Kingdom card-industry trade association. The unit's 29 member financial institutions "sponsor" the unit, to the tune of £5 million (US$8.9 million) per year. APACS would not say how much or what percentage each sponsor contributes.
John Folan, detective chief inspector for the unit, says using the term "sponsor" instead of "funder" is an important distinction for British lawmakers. "For the private industry to be funding the police is not something that's encouraged because people are bothered about favoritism or the possibility of buying law enforcement," Folan says.
The unit's 38 investigators, a mix of City of London sworn officers, Metropolitan London police and bank investigators, choose carefully which cases to pursue, focusing only on those that have better chances of making bigger dents in UK card crime. Since the unit was founded in April 2002, it has saved the industry an estimated £250 million, Folan says.
The unit has a new fraud intelligence-sharing system, a repository for fraud data financial institutions share. "We can manipulate and analyze the data, then send it back to our members," Folan says. "For example, a criminal can have a mobile phone that's involved in more than one fraud. That number might appear on several [Web] sites."
The APACS crime unit has made some 500 arrests since 2002, 95% of which have led to convictions, Folan says. One key to the unit's high conviction rate is carefully choosing which cases, referred by financial institutions, to take on. "We're set up to go for organized crime gangs, not individual stuff," Folan says.
And the unit shies away from older crimes, or those that have occurred over the course of several years. "Here in the UK, if you put a case up for trial, the defendant is entitled to see everything involved in the investigation," Folan says, adding that such cases often require mountains of expensive-to-produce evidence. "We tend to look for things that are still in motion, so we don't have to do a massive inquiry. And we take the individual at the earliest possibility."
With chip-and-PIN smart card security driving more fraud away from points of sale in the UK, more card thieves are turning to the Internet for easier opportunities (
"Most of that is outside our borders, so there's not a lot we can do about it," Folan says.
Folan says the unit's relationships with national governments and police forces in Eastern European countries, some of which are the main sources of payment card fraud in the UK, "are very good." He declined to name specific countries, other than to say the unit is training the Polish judiciary to handle card-fraud cases.
Establishing and maintaining cross-border relationships between law enforcement is key to fighting card crime, Crabb agrees. "I've got a gentleman that reports to me from Europol," he says. "To be able to pick up the phone and have him go over and talk to the French liaison officer or Latvian officer is invaluable."
Peirez, who also declined to name specific countries, says police in many countries where a high number of card criminals live are helpful and effective in finding and arresting thieves. "But some jurisdictions don't have very strict penalties for arrested criminals," Peirez says. "And even where the penalty is sufficient, the crime may be difficult to prove. You're going to have to find it all on [suspects'] computers."
The Visa executive says authorities in some Eastern European countries often are less than helpful in fighting card crime. "The two countries where you really see this all get tracked back to are the Ukraine and Russia," he says. "That's seen on the various criminal underground chat boards hosted there."
While police in Ukraine have been helpful, politicians with more power have not, the Visa executive says.
To cite a recent example, after the Orange Revolution brought new, more-cooperative leadership to the Ukraine, Ukrainian police in the summer of 2005 finally arrested Dmitry Ivanovich Golubov, at 22 years old one of the top operators of Carderplanet.com, an Internet forum that served some 7,000 debit and credit card fraudsters around the world.
It was a major win for U.S.-based investigators, who had flown to Ukraine a couple of weeks before Golubov's arrest. The U.S. Postal Inspection Service, Secret Service and FBI had spent years trying track the location and identity of "Script," Golubov's online nickname, while building a case against him.
"I had the good fortune to work with Ukrainian law enforcement to get this arrest," Crabb says. He says the police unit of the Ukrainian Ministry of the Interior was particularly helpful to foreign agents, including U.S. postal inspectors, in securing Golubov's arrest.
But six months later, two Ukrainian lawmakers convinced a judge to release Golubov on bond. U.S. officials worried Golubov would flee before his trial. Instead, Golubov surfaced in March running for a position in the Ukrainian parliament as head of the Internet Party of Ukraine, a party he helped create.
"That was probably one of the most disappointing losses," the Visa executive says.
UK investigators have faced similar frustration watching suspects go free. In a recent case, armed Sri Lankan youths tried to coerce another Sri Lankan youth working at a gas station in Kent into letting them install a card skimmer on a payment terminal at the station. The youth went along with their demands but removed the skimmer the next day. The gang kidnapped him and demanded a ransom from his friends and brother.
Kidnapping is not common in UK card-crime circles, but certain gangs there favor it for a number of crimes, Folan says. Authorities rescued the clerk, rounded up suspects and found in their possession equipment used in card cloning and fraud.
The kidnapping charge was overturned in court. "Once the kidnapping went, the whole job went," Folan says. Though the suspects walked, investigators recovered close to 200,000 card numbers. "Once we analyzed them, we had 40,000 original numbers," Folan says.
Coordination 'Disjointed'
Despite the unit's relative success, Folan says the UK overall lacks coordination among various law-enforcement bodies to fight cyber crime. "It's quite disjointed, currently," he says.
The UK addressed that issue recently by assigning the City of London Police as the lead agency in investigations of fraud throughout England, Wales and Scotland. The unit is developing a national fraud-reporting center and national intelligence bureau, Folan adds.
Folan wishes such coordination would expand to law-enforcement agencies and private industry affected by fraud around the world. "We're all sitting in little silos," he says. "I would love to see a global village of online fraud intelligence-sharing because these [criminals] have no borders, no boundaries."
Despite better cooperation, information-sharing still is far from fluid, especially between private industry and law enforcement in the U.S., Litan says. "My view is that banks are not working with law enforcement nearly as closely as they could," she says. "Banks may not trust [the police]. They have their own fraud-detection systems, and they may be concerned the cops will come in and bungle everything."
Many merchants also are less than eager to share with outsiders details of possible crimes and compromises of their payment networks. Most larger merchants find out about possible breaches from their merchant acquirers, who break the bad news that card networks have discovered that several cardholders complaining of fraud on their accounts all used their cards at the same merchant.
But some merchants discover a possible breach on their own and not all are quick to contact police or, even better, the Secret Service, says the Visa executive. "It's all across the board," he says. "Some [merchants] are really quick to inform law enforcement, and others are very slow about it. Sometimes, the [merchant] feels they have a very good [IT] department, and they can handle it on their own."
Information-Sharing
The lawsuit by several financial institutions against TJX Cos. Inc. also could have a chilling effect on information-sharing, some sources agree. The financial institutions settled with TJX in their case seeking compensation for costs of reissuing or monitoring compromised credit and debit cards, but not before the case dragged years of private TJX documents into court records for public viewing: merchant-acquiring contracts, e-mails, and depositions by Visa and MasterCard executives.
"Any entity that is the victim of a compromise now is thinking about the financial liability and litigation that comes with that," the Visa executive believes.
Visa tries to cooperate with merchants on any nondisclosure agreements or assertions of attorney-client privilege that do not violate government or industry breach disclosure rules, the executive says.
MasterCard's Peirez says most merchants, issuers and acquirers in MasterCard's network "do a good job, in general, of reporting problems." But merchant responses to outsiders seeking information about possible security compromises have always varied, even before the TJX case. "There are some merchants who lawyer up very early, and there are others who are very helpful and forthcoming," he says.
Working with law enforcement and card networks to investigate possible data compromises can help stem card data loss early and set merchant fears to rest, Peirez adds. "The quicker they provide full access to law enforcement and investigators, the better," Peirez says. "These criminals may be able to cover their tracks and hide evidence. ... But a lot of times it is a very small event" such as insider theft of a few card numbers.
Crabb sympathizes with merchants concerned about protecting corporate secrets and suggests some might want to ask law enforcement to issue grand jury subpoenas, which often mandate parties involved in an investigation delay or withhold disclosure of certain information considered vital to an investigation and possible indictment.
"If we get information through a grand jury subpoena, we cannot share that information until either the case is brought to trial or a court order is obtained that will make that information public," Crabb says. "I prefer that be used as a tool to [merchants'] benefit and not detriment."
Card brands require merchants with suspected or confirmed data breaches to hire qualified security assessors from a list approved by the Payment Card Industry Security Standards Council to conduct forensic investigations of their payment networks.
In the banks' lawsuit against TJX, judges blocked most documents generated by forensic investigators from the public record. But summaries of how the breach occurred made their way into official government reports in Canada and elsewhere.
Despite a public demand for information that affects millions of consumers, such government-mandated disclosures have made many merchants less welcoming of security assessors they hire than they were previously, says Andy Bokor, chief operating officer of Trustwave Corp., a U.S.-based data-security company that conducts forensic investigations.
Attorney Involvement
"The legal involvement has definitely increased over the years," Bokor says. "Clients have their attorneys involved early on. They're trying to police how much information is given to the assessor, and that sometimes makes it more complicated."
Many of the early attorney discussions with Trustwave are about how much the investigation will cost. "Many merchants are very price-sensitive, and it takes them aback the level and scope of the project and what we need to do," Bokor says.
Other discussions center around what information Trustwave will uncover and who else will see that information. "It's a balancing act because we have a contractual relationship with our clients, but we have a fiduciary agreement with the card brands," Bokor says. "As the level of legal involvement has increased, we've become increasingly adept at disclosing our relationships and what we can and can't do."
Trustwave interacts directly with Secret Service agents, whose jurisdiction involves payment card counterfeiting and fraud, and Secret Service or FBI officers, who focus on data breaches, Bokor says. But often Trustwave simply presents the information to the merchant and card networks to pass along to police.
"We provide a lot of data and give our summary of what we think took place," Bokor says.
Despite such nervousness, data-disclosure laws and better monitoring have increased disclosure of data breaches and card fraud in recent years, which has brought greater awareness of the problem.
That awareness has drawn more funding globally for data-theft and card-fraud investigations, smarter investigations, and more cooperation and coordination between public and private industry. With a big arrest behind them, the worldwide network of card-crime fighters has plenty of other investigations to keep it busy. CP
