THIEVES LOOKING FOR INTERNET SUCKERS
By Jon Christian Ryter
June 22, 2005
When MasterCard International reported last Friday that hackers may have exposed over 40 million credit card holders—of all brands—to the same type of panic witnessed during the Crash of '29 was seen everywhere in the financial world from the Ivory Towers at Wall & Broad Streets in New York to the Sears Tower in Chicago to the halls of Congress in the nation's capital. Of the 40 million credit card records now at risk, 13.9 million of them are for MasterCard holders. Twenty-two million of the records were for Visa. The balance, approximately 4.1 million belonged to Discover and American Express card holders.
The announcement by MasterCard International was the second potential identity theft scandal in as many weeks. If you recall, UPS lost the credit information on about 3.9 million Citigroup customers on June 6 while transferring computer tapes to a credit-reporting company. The computer tapes were not encrypted which means anyone who got them had immediate access to a ton of information about Citibank's customers.
Sen. Patrick Leahy [D-VT] one of several lawmakers who are frantically working on identity theft legislation noted that it's "...like the Wild West out there." Leahy commented that the problem, as he saw it, was that "...the handling of electronic data is weighed heavily to the convenience of the corporate world at the expense of consumers."
To make "instant credit" instantaneous, the information America's retail community needs to make credit decisions—your credit history and the current balances on your credit cards—has to be readily available to the merchants who offer consumers the convenience of buying by credit card. But, what is convenient is also going to be problematic since data that is not shielded by an impenetrable firewall is available to any computer hacker who knows how to farm this data from the weakest link in the datastream.
In this case, the weakest link was CardSystems Solutions, Inc. of Atlanta, Georgia. CardSystems is a credit card processing company who acts as clerical middleman between MasterCard, Visa, Discover, and American Express and the retailer. While they process credit card payments for several banks, CardSystems is the processing agent for Merrick Bank Corporation of South Jordan, Utah and Provident Bank of Cincinnati, Ohio. CardSystem's job is to make sure the correct bank is charged for the money that is then transferred electronically to the retailer who sold the goods. What companies like CardSystems do are simple routing transactions. One, two, three. Done. Gone.
Not only was there no logical reason for CardSystems to have a database of the credit card transactions they processed, under their contractual agreements with credit card companies, processors are not allowed to retain any cardholder information after processing the transactions. Joshua Peirez, an official for MasterCard told the New York Times that "...CardSystems provided services, and is supposed to pass that information on the banks and not keep it. They were keeping it."
On May 23 when CardSystems Solutions learned their firewalls had been breached over the previous weekend, and data from 40 million credit card accounts had been hacked, they called the FBI, which is now investigating the theft. What is most interesting about the theft from CardSystems Solutions is that there was no logical reason for hackers to penetrate their firewalls since credit card processing companies aren't allowed to possess a database of the transactions they process. Cyberthieves, who risk a 20-year prison term just for hacking the firewalls of a financial institution, would very likely know that, and wouldn't waste their time. The fact that they did suggests the hackers knew CardSystems had a database it wasn't supposed to have and perhaps thought they wouldn't report the theft.
John Perry, CEO of CardSystems said they had the database for "research purposes" to determine why some transactions registered as either "unauthorized" or "uncompleted." But, he admitted, his company should not have had the database.
Credit card users using MasterCard or Visa cards issued by Provident or Merrick Bank should demand that their credit be frozen to prevent identity theft until the FBI gets to the bottom of the theft at CardSystems. A credit freeze prevents lenders and other interested parties from reviewing a person's credit history for any reason. Since lenders need to see credit histories before issuing new credit, identity thieves can't open fraudulent accounts using the names of people whose identity they stole over the Internet.
By January of this year only three States—California, Louisiana, and Texas—had adopted credit-freeze laws that allow consumers to freeze their own credit to prevent identity theft. On July 1, Vermont will be the fourth State to have a credit-freeze law. Three weeks later Washington State will become the 5th. And, on Feb. 1, 2006, Maine will become the 6th State. Twenty other States have bills pending in their legislatures that will allow victims of identity theft to freeze their own credit to prevent identity thieves from profiting from the theft of their identities.
On the last day of Utah's legislature, a credit-freeze bill was defeated because car dealers opposed it, arguing that such legislation would hurt their business since, they said, most car buyers want to drive their new car off the lot the same day they pick it out. If the sale is delayed because an extra day is required to obtain credit information, the dealers claim they would lose a percentage of the sales they would otherwise get.
Clearly, it doesn't matter to the car dealers that having easy access to the customer's credit history means identity thieves can get the information just as quickly as they do. Clearly, the ability to freeze your credit benefits only the consumer. It doesn't help the business owner—who really couldn't care less if someone steals your identity an hour after he sells you a car. He got his sale. Some States, mindful of the demands of the business interests that fill the campaign coffers of the State politicians, balance the need for privacy of the consumer with the need of the business owner to gain quick access to your credit information—even if you have not signed a release authorizing them access to that information. Just for the sake of example, within the last two week I received three "preapproved" money offers from mortgage companies (including my own) to refinance my home.
One of them, Willy-Wonka Finance, (I changed the name of the real company since I don't want to give them a free plug) contained a printout that showed my current mortgage less escrow payments and the total amount my wife and I owe on our credit cards—and the amounts we paid on those credit cards two months ago. The information was provided—or rather, sold—to that mortgage company by Equifax. Willy-Wonka Finance had no conceivable right to confidential information about my credit history—even if it was obtained to make sure it would be a prudent investment on their part. Period.
That is what's wrong with the system today and why identity theft has become so rampant. The safeguard—our signatures—that allowed them access to our credit history is no longer required because we are no longer people to the banks and finance companies of America. We have been reclassified as human capital—a commodity—to those who now profit from us twice. They profit from us first when we do business with them. They profit again when they sell the database that contain confidential information about us to companies like Equifax that sell our credit history to direct marketers with whom we've never done business and likely never would under normal circumstances.
The data Willy-Wonka Finance purchased to make their sales pitch to me was information they should not have been allowed access to. They got it because they paid Equifax or someone like Equifax for it. Credit agencies profit by selling your credit history—good or bad—to any merchant willing to pay for it. Unfortunately, the more times those databases are sold, the less secure that information becomes. Thus, because of the greed of bankers, merchants and the purveyors of electronic data, we are at risk from identity thieves. The legislation that Leahy and other members of Congress should be sponsoring is not a law to regulate how this "product" (information about us) is sold, but rather, it should be a law to repeal all of the laws enacted by previous Congresses that gave profiteers access to our credit histories without our authorization. Particularly since that "confidential information" is so secretive that we pretty much have to retain a lawyer to access our own files at the local credit bureau. What's wrong with this picture?
As a result, the faster growing online industry today is selling "dumps." Black marketers like ZoOmer sell dumps. A dump is a stolen credit card number. Dumpsters operate in the cybershadows (the online equivalent to "back alley) all over the world,using sophisticated electronic cloaking devises to conceal where their websites transmit from. For $100 ZoOmer will sell you a Gold or Platinum Visa or MasterCard credit card number. (You can buy them as cheap as $50.00.) With it, you get the card owner's name, billing address, phone number and even the card's expiration date. When you get caught—as most amateur identity thieves do since even though they want the credit card bills to go to the real card owner, they want to the merchandise they purchase to come to them, and have it shipped to their homes or PO boxes—you are facing a stiff prrison sentence. The dumpster simply moves on, continuing to hack the most vulnerable data centers to steal even more credit information. According to the Federal Trade Commission, approximately 10 million Americans have their identities stolen each year—and the number is growing.
The hottest commodity on the black market today—and the most lucrative for the identity thief is the COB Dump. COB is an acronym for "change of billing." COB dumps are those in which the illicit buyer can change the billing address through the PIN number that is sometimes linked to the confidential information about the card holder. Usually the COB will be a PO Box that is opened under the cardholder's name in another city or State. This allows the person who has assumed your identity to receive the merchandise he or she is buying with your credit—and, at least until either the fraud is discovered or suspected, or the bank cuts off the cardholder's credit due to nonpayment—avoid apprehension. If he or she can secure enough of your credit and personal history, many times the identity thief will simply assume the complete identity of his or her victim, virtually becoming that person in another State—even to the point of borrowing the victim's scholastic records and work history to get a job and buy a home or car. When they become tired of being their victim (usually when they are being devoured by unpaid debt, they simply pack up and resume their former identity leaving their victim to face the debts they created.
As society becomes more cybermobile, and consumers learn they can buy anything they want on the Internet without ever leaving the sanctuary of their home—including a new car—online commerce will slowly begin to encroach on onsite consumer sales and the purveyors of identity theft will become even more emboldened as the opportunity for profit soars.
Tragically, the efforts by online companies to improve web security by building even more complex firewalls is more an illusion than fact since a good hacker can usually find his or her way around any firewall—even those in the US Justice Department or the Department of Defense.
It is important for any online business who transacts business with credit or debit cards—which is virtually every online business in the world—to make consumers feel "safe." While most online businesses have fairly secure firewalls and have never been hacked, it is only because they aren't worth the effort of a good hacker.
Hackers who have the talent to crack the firewalls of America's Fortune 500 companies are looking for bonanza web sites with enough data to make the visit profitable. Generally the hacker wholesales the data he steals for pennies per name. Hackers will theoretically go to prison just as long for hacking a mom and pop website as they will for hacking someone like Citigroup or CardSystems Solution. The tough new identity theft laws—and stiffer penalties for cybercrimes—combined with encryption devises that are supposed to bee uncrackable offer the consumer a false sense of security because, it seems, the more laws that are created to punish the law breaker, the greater the demand from greedy bankers and merchants to provide easier and swifter access to confidential credit information to accommodate impatient customers who want their new car yesterday.
Add to that the purveyors of electronic data who will sell your credit information to anyone—even to identity thieves themselves who have learned how to move about in the highly structured world of electronic data sales. The online sale of credit history and raw consumer data is a complex world of buyers, sellers and intermediaries offering temporary visas to the power players. The players come from all over the world. Most of today's cybercriminals are headquartered in Russia, the Middle East, Africa or China since these are the safest portals from which to operate. There is less risk of being caught, and more of an opportunity to buy yourself out of trouble if you are arrested.
Generally, buyers and sellers of stolen identities meet online. Both become invisible the moment the sale is made. Spammers are the fuel that speed the trafficking of identities between buyers and sellers. Scam spamming can also be very dangerous for the recipient of the spam since some of the most prolific "phishers" of data use seemingly harmless emails. "What was your mama's maiden name?" is one of those innocuous questions that most of us would answer without a second thought. Yet, how many of us use our mother's maiden name as the secret question we answer to regain a forgotten password? What information did you provide the spammer the first time you learned that Bill Gates wanted to give you a new computer for a "marketing test?" How many people sent in their social security number to spammers purporting to be the Rockefeller Foundation or the Carnegie Trust to get $100 they prepared to give to every American for completing a simple survey? Most of these phishing expeditions will net the spammer hundreds, if not thousands, of names, addresses, phone numbers and, yes, even social security numbers. Hard to believe, isn't it? We're all supposed to be intelligent adults (since we know how to use computers), but apparently once we loose all of our teeth, we start believing in the tooth fairy. "You are the lucky winner of the Irish Sweepstakes." (Stop and think...did you ever buy a ticket?) "...As soon as we receive your social security number so we can notify the federal government that you just won $10 million, we will send a cashier's check in that amount, less taxes, to MR. JOE STUPID (of course, that's where you name fits)."
We just don't realize it but, that black hole known as the cyberworld is just as dangerous as any back alley in New York, Chicago or Washington, DC after midnight. It's a place where we get hacked, cobbed and phished—that's cyberjargon for held up, robbed and screwed.
© 2005 Jon C. Ryter - All Rights
Order Jon Ryter's book "Whatever Happened to America?"
Jon Christian Ryter is the pseudonym of a former newspaper reporter with the Parkersburg, WV Sentinel. He authored a syndicated newspaper column, Answers From The Bible, from the mid-1970s until 1985. Answers From The Bible was read weekly in many suburban markets in the United States.
Today, Jon is an advertising executive with the Washington Times. His website, www.jonchristianryter.com has helped him establish a network of mid-to senior-level Washington insiders who now provide him with a steady stream of material for use both in his books and in the investigative reports that are found on his website.
Credit card users using MasterCard or Visa cards issued by Provident or Merrick Bank should demand that their credit be frozen to prevent identity theft until the FBI gets to the bottom of the theft at CardSystems.