Two recent articles; "Hacker Hunters", a recent front page Business Week article, and "Black Market in Stolen Credit Card Data Thrives on Internet", a New York Times article published today, focus on internet trafficking of stolen credit card data. Vivid descriptions of the fast paced lucrative on-line market for stolen credit card data vie for consumers fear. The articles detail some of the data collection tactics of burgeoning networks of multi-national credit thieves. On-line transactions of the moonlighting crooks are revealed - a shadowy international network deals in stolen data using the internet for transactions that are often tracked to servers hosted in places like Russia, where criminals evade authorities easily.
The Business Week article recounts the previous efforts of "Operation Firewall", an elaborate sleuthing collaboration by the Secret Service and Justice Department that successfully uncovered the inner workings and leaders of a New Jersey based credit theft ring last fall and led to the arrest of 28 suspects and provided enough evidence to arrest many more.
The tone of both articles is foreboding; gangs of sophisticated technologists. Slick. Elusive. Evil. The authors warn that although "Operation Firewall" was a success, future Firewall-like operations are less likely to succeed because the thieves are growing ever more sophisticated and daring. Meanwhile, cybersecurity forces are underfunded and undermined by weak institutional support in foreign countries. The articles spin a riveting account of the "hacker hunters" as they struggle to out-wit the ever audacious technical prowess of the thieves. The internet plays an ominous role by amplifying the cunning of the perpetrators. It is a feckless, fenceless Wild-West of lawlessness. With its dangerous anonymity, the internet provides the masks that the men will don before galloping down from the hills of Russia, or China, or Bulgaria, swooping in on the gentle townsfolk and destroying the very fabric of our oh-so-civilized civilization, ruthlessly compromising our commerce and banking systems.
"Hacker hunters" are using sophisticated technology but resort to traditional anti-crime methods in this battle:
"..they're marshaling their forces and using gumshoe tactics to fight back -- infiltrating hacker groups, monitoring their chatter on underground networks, and when they can, busting the baddies [sic] before they do any more damage."
The cloak and dagger accounts can divert attention from the issue of how so much of the data in the recent compromises has entered the illegal market. Here are some recent data losses:
- CitiFinancial's 3.9 million customer records were lost off the back of the truck on the way to a data processing center in Allen, Texas.
- Choicepoint "accidentally sold" data on 145,000 consumers to thieves.
- Wachovia Bank's and Bank of America's customer financial records were stolen by bank employees and sold.
- Ameritrade Holding Corporation lost a backup computer tape with 200,000 customers data.
- Time Warner Inc. said Social Security numbers and other employee data were lost off a truck on the way to Iron Mountain Inc., a data storage company.
- University of California applicant data, unencrypted, was lost when a laptop was stolen from an unlocked room on campus.
- Lexis-Nexis reported that someone had gained access to personal information...somehow...the data had - "fallen into the hands of thieves."
- A recent heist of 4 million records from a CardSystems Solutions occured because credit card numbers, identifiers, and security codes were not only left in a database, they were unencrypted; infractions of data storage protocols.
In each of these cases, the losses occurred because of cavalier and reckless behavior on the part of individuals, companies or organizations that were entrusted with personal data. Human error was responsible, not high tech shenanigans. In some cases, the public was assured that the "employee was fired", in other cases the employees were kept on because there were no rules to enforce data safety. If an organization can't be trusted to purge data, or to encrypt data as required, or to keep it on a truck as it travels about town, can we possibly be assuaged by incredible assurances that the data will still 'probably be safe' when its compromised ?
While our system of numeric identifiers and pin numbers has perhaps outlived it's usefulness, until a better system is operable, people and companies who process and "safekeep" data need to be held accountable to some standards. If data didn't fall off trucks, gumshoes wouldn't be so critical.
