This year brought no Melissa virus, no Code Red, no daylong outages at Microsoft or Yahoo, and few tales of high-profile hacks. So one might conclude computer crime was down in 2002. And that would be a mistake. Because this year more than any other, fame-seeking teenage graffiti artists were pushed aside by real criminals who have discovered how user-friendly the Internet is. Millions of dollars are being stolen now from innocent and naive Net users by con artists of every flavor, and there’s reason to believe organized crime rings are now taking a sizable slice of that pie. And there’s no reason to think things won’t get even worse next year.
THE CONS JUST kept on coming in 2002. EBay sellers who simply never send the merchandise. Fake online escrow Web sites which lure winners into sending bank wire transfers. Criminals armed with massive lists of stolen credit cards who break into Internet merchant payment systems and refund themselves thousands of dollars. Help desk workers who sell credit reports for $20 a pop.
There’s nothing new about any of these crimes. It’s just that word is out on which cons work best, and the bad guys are catching on fast: much faster than innocent Net users and law enforcement types.
Moreover, the criminals are no longer shy about their heists, which often now net over $10,000 at a clip. An MSNBC.com investigation published earlier this month revealed that fake escrow site victims are regularly forking over $20,000, $30,000, and in one case $55,000 to con artists who create the looks-like-the-real-thing Web page. Many victims think they are getting a great deal on a new car, or a rare gold watch. Instead, they find they have lost a up to decent year’s salary, with no way to recover the money.
Wire fraud artists have discovered the Internet, too. One tiny merchant found $52,000 moved from her bank account to Spain, exported by clever con artists who simply issued about 1,000 credit card refunds to themselves using her account. And she’s not alone — a bank official told her some 30 other merchants had fallen victim to the same crime.
A high-ranking credit card official told her that an organized crime ring was behind it all.
Experts had always speculated that Internet crime was really about the money, that high-profile Web site hacks like the incident at the New York Times a few years ago were merely a distraction. Good criminals do their dirty work in relative silence, don’t call attention to themselves and don’t get caught.
WHERE THE MONEY IS
Cryptography expert Bruce Schneier, chief technology officer of Counterpane Internet Security, Inc. told the SANS industry newsletter earlier this month that criminals are catching on.
“Criminals tend to lag technology by five to ten years, but eventually they figure it out,” he said. “Just as Willie Sutton robbed banks because ‘that’s where the money is,’ modern criminals will attack computer networks. Increasingly, value is online instead of in a vault; illicitly changing a number in a database can be more lucrative than staging a robbery.”
The Internet provides the perfect breeding ground for elaborate cons. On the street, it’s easy to tell the difference between a 50,000-square-foot bank and a guy with a greasy smile who’s passing counterfeit money. On the Internet, PayPal.com looks no different from PayPai.com; e-mail from a crook looks exactly like e-mail from eBay.
And the global network also provides easy access to a potential pool of victims. There’s millions of fresh-faced, naive users who often have their defenses lowered by the wonders of technology. People who scrupulously track paper credit card receipts, but are willing to give out their card numbers to anyone with an official-looking e-mail address.
Then there’s the perfect anonymity of the Internet. And the lack of geographic barriers. It’s easy for someone in a former Eastern Bloc nation to attract thousands of potential victims on the other side of the planet at an auction site. When the money is wired to Latvia, there’s no telling where it went.
In fact, Internet crime is so perfect, identity theft expert Rob Douglas claims drug dealers are trading in their dime bags for dial-up access, since Internet crime is now so profitable, and comes with so little risk.
What made this year different is how brazen the thieves are getting, and how common the crimes have become.
Consider the recent success of “password-stealing” e-mails. These are official-sounding notes which arrive claiming to be from companies like PayPal or eBay. “You must update your credit card information,” the notes say. “Please enter it in this box.” Dressed up by a few legitimate logos, the e-mail appears authentic enough. Of course, the e-mail ends up in a thieves’ hands, who quickly assumes the victim’s identity and sets about turning it into easy money.
The first such password stealers appeared more than five years ago; one author told MSNBC.com back then that he could expect 2 or 3 recipients to fall for the ploy for every 100 he sent. But for some reason, in the last three months of this year, con artists have stepped up their password-stealing spam, and it’s working. Rosalinda Baldwin, who operates auction watchdog TheAuctionGuild.com, says complaints about the mails have skyrocketed recently. Anyone with an e-mail address knows she’s right.
IT ALL STARTS WITH ID THEFT
At the center of all this fraud is identity theft, which can range from the simple heist of a credit card number or the hijacking of an eBay account to the full-blown version, which eventually requires the victim to change Social Security numbers and create an entirely new digital identity.
Every eBay scam, wire scam, escrow scam, and every instance of bank fraud requires criminals to have believable alternate identities. And now, finding a digital alter ego has never been easier.
The Nov. 25 arrest of Philip Cummings provided the clearest window yet into the scary world of identity theft, the core of the Internet’s troubles. Cummings was a humble help desk worker at a tiny software company for about 6 months nearly three years ago. But because of his position at Teledata Communications Inc., and the fragile nature of the credit reference system, Cummings essentially had access to the personal financial records of nearly every U.S. citizen. Even after he left the company.
For two years, Cummings sold that access, stealing 30,000 credit records, single-handedly undermining much of the personal financial system.
But even more scary is the reason Cummings got caught — he was too greedy. Cummings and friends ordered some 15,000 credit reports through one account at Ford Motor Company, and someone eventually noticed the out-of-line activity. Had Cummings been just a little less greedy, he’d probably still be rifling through our credit reports today.
One has to assume there are other Cummings out there right now, operating in the shadows, smart enough to steal their data and money in less obvious chunks — or doing it from safe havens outside the United States. In 2001, the Federal Trade Commission says there were probably 750,000 cases of ID theft. Victims ranged from the woman down the block to Tiger Woods and Warren Buffet. This year will certainly bring more, as one study suggested one in every 50 people have been victims.
This is a crisis, even if it doesn’t feel like one yet. Sun’s Scott McNealy was right and is getting righter all the time, our privacy is hanging by a thread that’s shredding quickly. But it will likely take a high-ranking member of Congress to suffer the pain of a full-blown ID theft — or to suffer the loss of $50,000 in a wire fraud — before the issue gets the attention it needs.
But for now, average Internet users have to swallow a big dose of horse sense, and fast. No one’s going to protect you, so you’d better circle the wagons yourself. Never use your debit card online. And don’t wire money, period. Don’t use Western Union unless you’re son is is stuck in Wall, South Dakota, with a broken down car. Don’t use any kind of bank transfers. Don’t bother even trying to send money overseas, isn’t there enough stuff to buy from U.S.-based Internet merchants?
Deal only in credit card transactions, and watch your bills like a hawk.
Never send out information like financial accounts or passwords in an e-mail, no reputable company would even ask.
And finally — and I hate to sound like a schoolmaster here, but I’m going to — stop obsessing over getting too-good-to-be-true deals. I’ve spoken to hundreds of fraud victims this year, and so many of them had one thing in common: their own greed was turned against them. “If I just wire money to Latvia, I’ll get these cell phones at half-price,” the victim thinks. Or, “this watch, it should cost $20,000, but this fool is willing to sell it for $13,000!” In both cases, the victim knew somewhere inside that the deal was just too good, but the temptation was too much. Criminals know this, and like a clever wrestler, they turn their victim’s energy against them.
If the cons rarely worked, con artists would have to find another line of work. While it’s time federal authorities started taking Internet crime seriously, started passing tough ID theft laws and continues prosecuting con artists, it’s also time average Internet users stopped making things so easy for the bad guys.