- Email: [email protected]
FBI charges online fraudster
NEWS
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production/Design Controller: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by:
Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial This issue features two reports on the US Government’s efforts to make a right out of a 26.5 million data breach. Higher levels of training and the banning of social security number storage are part of the effort. In a radical move, US-Cert will publicly announce all government breaches every month, as agencies are required to report all incidents to it within an hour. The transparent selfregulation can only be applauded but it is also only right and proper for a democracy to do so. This month also sees the first US state – Minnesota – introducing a law to make retailers pay banks for card reissuing costs for inadvertently causing a breach. That is fair enough, but banks are also responsible for a plethora of flaws that cause their customers anguish when money is stolen. Card cloning, which bank systems are susceptible to, is an example. I’ve had my card cloned twice in the space of two months. Fair enough - my bank in question refunded the money with no fuss. But it meant £1000 was missing until the affair was sorted out and caused considerable stress. Should account holders sue banks for not protecting their data enough? Retailers in Minnesota will likely improve their data handling, which is welcome. But shouldn’t banks also be more accountable? In the UK, the police no longer handle reports of card cloning – they refer victims back to the banks. But who is policing the banks? The US Government has publicly published its steps to make IT systems secure. Wouldn’t it be nice if the banks publicly published their security policies so account holders could see what is being done to keep their money safe?
UK police bust fraud gang
F
ive Eastern European scammers have been jailed in the UK’s biggest uncovered credit card fraud.
The gang lived a luxury lifestyle fuelled by the cloning of 32 000 credit cards, which could have netted them £17 million. They bought expensive properties including a converted church in East London with one gang member owning a £1 million mansion in Hertfordshire.
The scam was discovered by chance when British Transport Police (BTP) did a routine terrorist check on one of the fraudsters – Darius Zyla at Victoria train station in London in September 2005. They found he was carrying 46 mobile phone top-up cards containing credit card details. Zykin’s wife, Malgorzata Zykin, 41, was sentenced to six months in jail last month. The mastermind behind the fraud was Russian man Roman Zykin, 38, who got the longest sentence of five and a half years. North London resident Darius Zyla, 30, from Poland, was jailed for four years while another Pole, Krzysztof Rogalski, 31, who lived in East London, received a three year sentence. Estonian Hannes Pajasalu, 34, who acted as a ‘link man’, was put behind bars for two years. The judge recommended their deportation after they serve their sentences. The arrest of Zyla led to an 18-month investigation where police worked with Europol, the FBI and Estonian police in five countries. The gang used sophisticated encryption methods and had fake passports and many aliases. It is suspected they obtained the card data during a hack on a US-based database some time ago. The BTP allowed the gang to spend lavishly on designer clothes and holidays while it gathered proof to link them to the false cards. They were sentenced on 10 May. A confiscation hearing will take place in Southwark Crown Court on 28 and 29 June.
FBI charges online fraudster
A
n American man has been charged with swindling more than US$3 million in a massive online fraud.
Twenty-five-year-old Matthew Kichinka from Ohio is accused of making electronic fund transfers from various banks to Ameritrade and E*Trade worth US$3 348 000.
June 2007
NEWS He allegedly wired 50 sums of money, committed bankruptcy fraud and made threats to kill another person. Between July 2004 and April 2007, Kichinka used other people’s names, dates of birth and social security numbers to open 35 brokerage accounts with Ameritrade and E-trade. He is charged with placing stock purchase orders for hundreds of thousands of shares after opening the online accounts before the issuing bank spotted that the EFTs were fraudulent. Ameritrade and E*Trade lost more than US$300 000 upon liquidation of stock held in the dodgy accounts. He also faces Aggravated Identity Theft charges for stealing and using the confidential records of others to commit wire fraud. Another count is for Bankruptcy Fraud for false statements he made when filing his bankruptcy case in 2005. The alleged fraudster also texted people threatening to kill them, according to police charges. The threats were transmitted from Ohio through a California-based computer to the recipient near Cleveland.
Online retailers in UK lose £580 million to fraud
O
nline retailers are losing £580 million per year in the UK from cyberfraud according to research.
The survey showed that nearly two thirds (64%) of British-based E-commerce retailers have been defrauded. The costs can be as much as 5% of annual turnover in some cases. The research was performed by Visa voucher firm 3V and online retail industry body IMRG. The e-Fraud Barometer reveals that more than a third (36%) of retailers have seen a marked increase in fraud since the introduction of chip and pin in the high street. IMRG figures predict that online sales could reach £78 billion
June 2007
over the next three years. If fraud continues at its present rate – it could cost retailers £1.5 billion per annum by 2010. Andrew McClelland, director of projects and marketing at IMRG, said: “The research from 3V highlights just how serious the problem of Internet fraud has become for the online retail industry. While the industry is rapidly expanding it obviously provides a tempting target for fraudsters. “Retailers have told us that a range of tools and techniques provide the best defence against fraudulent activity but these should not increase costs significantly, or provide a barrier to legitimate customers.” More than two in five (43%) of retailers said the threat of being hit by fraud is becoming a bigger worry. Two thirds of retailers (64%) are increasing security measures on their websites while a fifth (21%) say the new systems are placing an increased burden on the consumer. Two thirds of retailers also said in the survey that their customers find signing up to Verified by Visa and Mastercard SecureCode difficult, as they have to remember multiple passwords. More than half (57%) of online merchants have no intention of introducing either system onto their sites. Kieron Guilfoyle, CEO of 3V Transaction Services, said: “While some giant steps have been taken by the retail and payments industries in the last few years to combat the problem of CNP fraud, the impact it is having on some e-retailers is immense.”
Missing disk contains employee SSNs
A
n Alcatel-Lucent computer disk containing social security numbers (SSNs) of the company’s employees has gone missing.
One of the company’s vendors admitted on 7 May that the disk, which also has names, addresses,
dates of birth and salary details of Alcatel-Lucent employees, retirees and dependents, could not be located. Alcatel-Lucent has stressed that no customer or credit card numbers were on the disk. It has not released how many employee records were on the disk. Hewitt Associates sent the disk by UPS delivery to another of the company’s vendors – Aon Corporation. Alcatel-Lucent believes the disk was either lost or stolen between 5 April and 3 May. The US Secret Service is investigating, but there has been no proof that the data is being misused. An internal investigation has also been launched. “We recognize that we have a responsibility to carefully protect this type of information and deeply regret this loss,” said Frank D’Amelio, chief administrative officer for Alcatel-Lucent. “We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimise any potential risk this incident could create for them.” The company notified employees by email of the incident. It also prepared a printed letter to employees, retirees and dependents. The company will also supply the individuals with risk free identity theft protection and credit monitoring for one year free of charge. The credit monitoring will include unlimited online access to a credit report and score, monitoring of all three national credit bureau reports, email alerts to inform those affected of key changes to their credit report and fraud resolution and assistance.
Wi-fi free surfer gets fine
A
n Internet thief who surfed for free outside a Wi-Fi café in the US has been fined US$400 and sentenced to 40 hours’ community service.
Computer Fraud & Security
3
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production/Design Controller: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by:
Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial This issue features two reports on the US Government’s efforts to make a right out of a 26.5 million data breach. Higher levels of training and the banning of social security number storage are part of the effort. In a radical move, US-Cert will publicly announce all government breaches every month, as agencies are required to report all incidents to it within an hour. The transparent selfregulation can only be applauded but it is also only right and proper for a democracy to do so. This month also sees the first US state – Minnesota – introducing a law to make retailers pay banks for card reissuing costs for inadvertently causing a breach. That is fair enough, but banks are also responsible for a plethora of flaws that cause their customers anguish when money is stolen. Card cloning, which bank systems are susceptible to, is an example. I’ve had my card cloned twice in the space of two months. Fair enough - my bank in question refunded the money with no fuss. But it meant £1000 was missing until the affair was sorted out and caused considerable stress. Should account holders sue banks for not protecting their data enough? Retailers in Minnesota will likely improve their data handling, which is welcome. But shouldn’t banks also be more accountable? In the UK, the police no longer handle reports of card cloning – they refer victims back to the banks. But who is policing the banks? The US Government has publicly published its steps to make IT systems secure. Wouldn’t it be nice if the banks publicly published their security policies so account holders could see what is being done to keep their money safe?
UK police bust fraud gang
F
ive Eastern European scammers have been jailed in the UK’s biggest uncovered credit card fraud.
The gang lived a luxury lifestyle fuelled by the cloning of 32 000 credit cards, which could have netted them £17 million. They bought expensive properties including a converted church in East London with one gang member owning a £1 million mansion in Hertfordshire.
The scam was discovered by chance when British Transport Police (BTP) did a routine terrorist check on one of the fraudsters – Darius Zyla at Victoria train station in London in September 2005. They found he was carrying 46 mobile phone top-up cards containing credit card details. Zykin’s wife, Malgorzata Zykin, 41, was sentenced to six months in jail last month. The mastermind behind the fraud was Russian man Roman Zykin, 38, who got the longest sentence of five and a half years. North London resident Darius Zyla, 30, from Poland, was jailed for four years while another Pole, Krzysztof Rogalski, 31, who lived in East London, received a three year sentence. Estonian Hannes Pajasalu, 34, who acted as a ‘link man’, was put behind bars for two years. The judge recommended their deportation after they serve their sentences. The arrest of Zyla led to an 18-month investigation where police worked with Europol, the FBI and Estonian police in five countries. The gang used sophisticated encryption methods and had fake passports and many aliases. It is suspected they obtained the card data during a hack on a US-based database some time ago. The BTP allowed the gang to spend lavishly on designer clothes and holidays while it gathered proof to link them to the false cards. They were sentenced on 10 May. A confiscation hearing will take place in Southwark Crown Court on 28 and 29 June.
FBI charges online fraudster
A
n American man has been charged with swindling more than US$3 million in a massive online fraud.
Twenty-five-year-old Matthew Kichinka from Ohio is accused of making electronic fund transfers from various banks to Ameritrade and E*Trade worth US$3 348 000.
June 2007
NEWS He allegedly wired 50 sums of money, committed bankruptcy fraud and made threats to kill another person. Between July 2004 and April 2007, Kichinka used other people’s names, dates of birth and social security numbers to open 35 brokerage accounts with Ameritrade and E-trade. He is charged with placing stock purchase orders for hundreds of thousands of shares after opening the online accounts before the issuing bank spotted that the EFTs were fraudulent. Ameritrade and E*Trade lost more than US$300 000 upon liquidation of stock held in the dodgy accounts. He also faces Aggravated Identity Theft charges for stealing and using the confidential records of others to commit wire fraud. Another count is for Bankruptcy Fraud for false statements he made when filing his bankruptcy case in 2005. The alleged fraudster also texted people threatening to kill them, according to police charges. The threats were transmitted from Ohio through a California-based computer to the recipient near Cleveland.
Online retailers in UK lose £580 million to fraud
O
nline retailers are losing £580 million per year in the UK from cyberfraud according to research.
The survey showed that nearly two thirds (64%) of British-based E-commerce retailers have been defrauded. The costs can be as much as 5% of annual turnover in some cases. The research was performed by Visa voucher firm 3V and online retail industry body IMRG. The e-Fraud Barometer reveals that more than a third (36%) of retailers have seen a marked increase in fraud since the introduction of chip and pin in the high street. IMRG figures predict that online sales could reach £78 billion
June 2007
over the next three years. If fraud continues at its present rate – it could cost retailers £1.5 billion per annum by 2010. Andrew McClelland, director of projects and marketing at IMRG, said: “The research from 3V highlights just how serious the problem of Internet fraud has become for the online retail industry. While the industry is rapidly expanding it obviously provides a tempting target for fraudsters. “Retailers have told us that a range of tools and techniques provide the best defence against fraudulent activity but these should not increase costs significantly, or provide a barrier to legitimate customers.” More than two in five (43%) of retailers said the threat of being hit by fraud is becoming a bigger worry. Two thirds of retailers (64%) are increasing security measures on their websites while a fifth (21%) say the new systems are placing an increased burden on the consumer. Two thirds of retailers also said in the survey that their customers find signing up to Verified by Visa and Mastercard SecureCode difficult, as they have to remember multiple passwords. More than half (57%) of online merchants have no intention of introducing either system onto their sites. Kieron Guilfoyle, CEO of 3V Transaction Services, said: “While some giant steps have been taken by the retail and payments industries in the last few years to combat the problem of CNP fraud, the impact it is having on some e-retailers is immense.”
Missing disk contains employee SSNs
A
n Alcatel-Lucent computer disk containing social security numbers (SSNs) of the company’s employees has gone missing.
One of the company’s vendors admitted on 7 May that the disk, which also has names, addresses,
dates of birth and salary details of Alcatel-Lucent employees, retirees and dependents, could not be located. Alcatel-Lucent has stressed that no customer or credit card numbers were on the disk. It has not released how many employee records were on the disk. Hewitt Associates sent the disk by UPS delivery to another of the company’s vendors – Aon Corporation. Alcatel-Lucent believes the disk was either lost or stolen between 5 April and 3 May. The US Secret Service is investigating, but there has been no proof that the data is being misused. An internal investigation has also been launched. “We recognize that we have a responsibility to carefully protect this type of information and deeply regret this loss,” said Frank D’Amelio, chief administrative officer for Alcatel-Lucent. “We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimise any potential risk this incident could create for them.” The company notified employees by email of the incident. It also prepared a printed letter to employees, retirees and dependents. The company will also supply the individuals with risk free identity theft protection and credit monitoring for one year free of charge. The credit monitoring will include unlimited online access to a credit report and score, monitoring of all three national credit bureau reports, email alerts to inform those affected of key changes to their credit report and fraud resolution and assistance.
Wi-fi free surfer gets fine
A
n Internet thief who surfed for free outside a Wi-Fi café in the US has been fined US$400 and sentenced to 40 hours’ community service.
Computer Fraud & Security
3