- Email: [email protected]
UK police bust fraud gang
NEWS
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production/Design Controller: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by:
Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial This issue features two reports on the US Government’s efforts to make a right out of a 26.5 million data breach. Higher levels of training and the banning of social security number storage are part of the effort. In a radical move, US-Cert will publicly announce all government breaches every month, as agencies are required to report all incidents to it within an hour. The transparent selfregulation can only be applauded but it is also only right and proper for a democracy to do so. This month also sees the first US state – Minnesota – introducing a law to make retailers pay banks for card reissuing costs for inadvertently causing a breach. That is fair enough, but banks are also responsible for a plethora of flaws that cause their customers anguish when money is stolen. Card cloning, which bank systems are susceptible to, is an example. I’ve had my card cloned twice in the space of two months. Fair enough - my bank in question refunded the money with no fuss. But it meant £1000 was missing until the affair was sorted out and caused considerable stress. Should account holders sue banks for not protecting their data enough? Retailers in Minnesota will likely improve their data handling, which is welcome. But shouldn’t banks also be more accountable? In the UK, the police no longer handle reports of card cloning – they refer victims back to the banks. But who is policing the banks? The US Government has publicly published its steps to make IT systems secure. Wouldn’t it be nice if the banks publicly published their security policies so account holders could see what is being done to keep their money safe?
UK police bust fraud gang
F
ive Eastern European scammers have been jailed in the UK’s biggest uncovered credit card fraud.
The gang lived a luxury lifestyle fuelled by the cloning of 32 000 credit cards, which could have netted them £17 million. They bought expensive properties including a converted church in East London with one gang member owning a £1 million mansion in Hertfordshire.
The scam was discovered by chance when British Transport Police (BTP) did a routine terrorist check on one of the fraudsters – Darius Zyla at Victoria train station in London in September 2005. They found he was carrying 46 mobile phone top-up cards containing credit card details. Zykin’s wife, Malgorzata Zykin, 41, was sentenced to six months in jail last month. The mastermind behind the fraud was Russian man Roman Zykin, 38, who got the longest sentence of five and a half years. North London resident Darius Zyla, 30, from Poland, was jailed for four years while another Pole, Krzysztof Rogalski, 31, who lived in East London, received a three year sentence. Estonian Hannes Pajasalu, 34, who acted as a ‘link man’, was put behind bars for two years. The judge recommended their deportation after they serve their sentences. The arrest of Zyla led to an 18-month investigation where police worked with Europol, the FBI and Estonian police in five countries. The gang used sophisticated encryption methods and had fake passports and many aliases. It is suspected they obtained the card data during a hack on a US-based database some time ago. The BTP allowed the gang to spend lavishly on designer clothes and holidays while it gathered proof to link them to the false cards. They were sentenced on 10 May. A confiscation hearing will take place in Southwark Crown Court on 28 and 29 June.
FBI charges online fraudster
A
n American man has been charged with swindling more than US$3 million in a massive online fraud.
Twenty-five-year-old Matthew Kichinka from Ohio is accused of making electronic fund transfers from various banks to Ameritrade and E*Trade worth US$3 348 000.
June 2007
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production/Design Controller: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by:
Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial This issue features two reports on the US Government’s efforts to make a right out of a 26.5 million data breach. Higher levels of training and the banning of social security number storage are part of the effort. In a radical move, US-Cert will publicly announce all government breaches every month, as agencies are required to report all incidents to it within an hour. The transparent selfregulation can only be applauded but it is also only right and proper for a democracy to do so. This month also sees the first US state – Minnesota – introducing a law to make retailers pay banks for card reissuing costs for inadvertently causing a breach. That is fair enough, but banks are also responsible for a plethora of flaws that cause their customers anguish when money is stolen. Card cloning, which bank systems are susceptible to, is an example. I’ve had my card cloned twice in the space of two months. Fair enough - my bank in question refunded the money with no fuss. But it meant £1000 was missing until the affair was sorted out and caused considerable stress. Should account holders sue banks for not protecting their data enough? Retailers in Minnesota will likely improve their data handling, which is welcome. But shouldn’t banks also be more accountable? In the UK, the police no longer handle reports of card cloning – they refer victims back to the banks. But who is policing the banks? The US Government has publicly published its steps to make IT systems secure. Wouldn’t it be nice if the banks publicly published their security policies so account holders could see what is being done to keep their money safe?
UK police bust fraud gang
F
ive Eastern European scammers have been jailed in the UK’s biggest uncovered credit card fraud.
The gang lived a luxury lifestyle fuelled by the cloning of 32 000 credit cards, which could have netted them £17 million. They bought expensive properties including a converted church in East London with one gang member owning a £1 million mansion in Hertfordshire.
The scam was discovered by chance when British Transport Police (BTP) did a routine terrorist check on one of the fraudsters – Darius Zyla at Victoria train station in London in September 2005. They found he was carrying 46 mobile phone top-up cards containing credit card details. Zykin’s wife, Malgorzata Zykin, 41, was sentenced to six months in jail last month. The mastermind behind the fraud was Russian man Roman Zykin, 38, who got the longest sentence of five and a half years. North London resident Darius Zyla, 30, from Poland, was jailed for four years while another Pole, Krzysztof Rogalski, 31, who lived in East London, received a three year sentence. Estonian Hannes Pajasalu, 34, who acted as a ‘link man’, was put behind bars for two years. The judge recommended their deportation after they serve their sentences. The arrest of Zyla led to an 18-month investigation where police worked with Europol, the FBI and Estonian police in five countries. The gang used sophisticated encryption methods and had fake passports and many aliases. It is suspected they obtained the card data during a hack on a US-based database some time ago. The BTP allowed the gang to spend lavishly on designer clothes and holidays while it gathered proof to link them to the false cards. They were sentenced on 10 May. A confiscation hearing will take place in Southwark Crown Court on 28 and 29 June.
FBI charges online fraudster
A
n American man has been charged with swindling more than US$3 million in a massive online fraud.
Twenty-five-year-old Matthew Kichinka from Ohio is accused of making electronic fund transfers from various banks to Ameritrade and E*Trade worth US$3 348 000.
June 2007