The Art of the Steal (20 page)

The Trojan Horse could also carry a more elaborate desktop monitoring program that functions almost exactly like a surveillance camera. Now when you’re on line, the criminal views live on his computer everything that you type and see on your screen. He could be in Turkey, but it’s as if he were sitting beside you. If you log on to your bank account, entering your account number and your PIN, the thief in Turkey sees precisely what you’re doing. He can then log on to your account and have your bank send him a check that cleans out your savings. And you never even knew he was there.

A Trojan Horse can also deposit a remote access program that not only enables a crook to see what someone is doing, but also lets him get into that person’s computer, fool with his files, and disrupt his system. The best known of these snooping devices is Back Orifice. It was devised by a hacker group called the Cult of the Dead Cow. The program’s name spoofs Microsoft’s Back Office software. Again, these programs have a legitimate purpose. The majority of companies have them so employees can work from home or while they’re traveling. Well, thieves like to telecommute, too.

One of the more ingenious and remarkable Trojan Horse scams was pulled a few years ago by three men on Long Island. They set up several voyeuristic websites named beavisbutthead.com, sexygirls.com, and ladult.com that advertised free “adult” pictures. Internet users who happened upon the sites in their Web surfing were instructed to download a viewer program that would allow them to see the sexy pictures, and a lot of men did just that. What did they have to lose? The pictures were free, weren’t they?

Unfortunately, however, the viewer that was to furnish the pornographic pictures turned out to be more than just a viewer. It also housed a Trojan Horse that commanded your computer to do a few other things. It shut down your volume control so you wouldn’t hear anything coming out of your speakers. Then it hung up your modem line and dialed a phone number in Moldova, a tiny nation you probably rarely called that was one of the former Soviet republics. With the speakers shut off, you couldn’t hear that scratchy telltale sound of a modem dialing a number. The call to Moldova was answered by a computer that reconnected you to the adult site and caused a photo of an unclothed girl to show up on your screen. While you were admiring her curves, you were paying big-time for a transatlantic call.

It got worse. There was only one photo, and it wasn’t that great, so most people abandoned beavisbutthead pretty quickly. But leaving the site didn’t disconnect the call to Moldova. Even when you signed off the Internet and went on to write some poetry in your word processing program, your modem was still talking to Moldova. The hijacking of your modem call didn’t end until you shut off your computer, which could have been hours later. If you left it on all night, you were in for a really rude surprise. Some people found charges as high as three thousand dollars on their phone bill. In just six weeks, the scam attracted 800,000 phone minutes to Moldova. Never was the country so popular.

WHAT TO DO

There are plenty of tools designed to thwart Trojan Horses, but it’s a constant battle against criminal ingenuity. Anti-Trojan Horse programs and anti-virus software are widely available, but they need to be updated regularly if they’re going to succeed against the latest Trojan Horses and viruses. And you need to use some common sense. Don’t download attachments from people you don’t know, and don’t download software off the Internet unless you’re sure of the site that’s offering it. If you download a program from a website you’re unfamiliar with, that’s about the same as ordering your prescription drugs from Nigeria. You need to know the source and content of every file you download. Even if the file says it comes from a friend, be doubly sure before you download an attachment.

THE HIDDEN AGENDA

Criminals think differently than most people. To avoid being scammed, you have to start thinking the way a criminal does. For instance, I visited a company while it was going through the frantic preparations for the Y2K rollover, when everyone feared computers might misconstrue dates after January 1, 2000. Everywhere I looked, programmers were scooting around the premises, fixing computer code.

I asked the executives, “Who are you using to prepare your computers?”

“Oh, these guys from India,” they said. “They’re really sharp. And they’re cheap.”

“Really?” I’d said. “Did you check out their backgrounds? Did you have them bonded? How do you know you can trust them?”

They looked at me and their jaws dropped. They didn’t know if they could trust them.

Their thinking was, these guys know computers and they’re inexpensive, as were a lot of other off-shore firms from India, Russia, and Taiwan that were fixing Y2K problems.

But I was thinking, this is a golden opportunity for cyberthieves. When else have so many computers been opened up and touched by strange hands, with the blessings of their owners? I knew that any dishonest programmer could easily implant a so-called “back door” or “trap door,” a hidden entryway for him to get into the system whenever he wanted and steal data or funds. I have no doubt that many trap doors were part of the Y2K packages that companies got such a great deal on. Whenever you allow programmers to work on your computer system, for whatever reason, look into their background so you know who they are. A bank doesn’t allow just anyone to fix the locks to their vault. The same thinking should apply to your computer.

GOING, GOING, GONE

The number one source of crime on the Internet is online auctions, in large part because so many people use them and they’re such perfect settings for deceit. The FBI gets hundreds of complaints a week about them. There are stories of fraudulent paintings and “rare” Barbie dolls that are not so rare, of nonexistent kidneys sold for transplants. There are auction sites that sell suspect dinosaur fossils and pieces of meteorites. Sometimes the con artists use established auction sites to run their cons. Often, though, they set up their own auction sites and advertise expensive items like Cartier watches and personal computers that a lot of consumers would be interested in. They ask victims to send money for the goods and then deliver nothing, or a counterfeit version of what they wanted. And it may be months before consumers realize what they got was counterfeit. Once enough money comes in, the sites vanish.

One of the most common auction scams is when a con artist maintains he bought a nonrefundable but transferable airplane ticket. Unfortunately, something came up and he no longer can use it. It’s always for a popular destination and a time of year when plenty of people would be interested. He’s willing to sacrifice it at a loss; he just doesn’t want to have to eat the entire amount. The winner gets rewarded with a counterfeit ticket or nothing at all. Frequent flier mileage also turns up a lot on auction sites. The con artist claims his miles are good for a ticket anywhere in the world. The bidder sends the money and gets a letter saying, “Unfortunately, I just learned that I can’t transfer the miles. Don’t worry, I’ll send you a refund.” People have been waiting years for their refunds.

Every Christmas sees a predictable surge in auction fraud. There’s always a hot toy that every child must have, but there’s insufficient supply. So, con artists advertise on auction sites that they’ve got the toy. The Sony Playstation2 was the toy of Christmas 2000. Many people ordered them from phony auction sites and got nothing but an encounter with fraud. The address for the business that operated one site offering Playstations was a derelict house in Canada. The toll-free number consumers were invited to call was in California. The fax number to which they were told to send copies of their credit calls to speed their order was in the state of Washington. The money the company collected was wired to a bank in Florida. Does that sound like any business you want to deal with?

If you’re going to buy merchandise from online auctions, and many people swear by them, research the seller carefully. Look for the person on other websites. Some auctions allow members to furnish feedback on their experiences with different sellers. Even the feedback option is susceptible to fraud, however, as unsavory sellers will post glowing reports on themselves. Some auction sites like eBay provide limited insurance. Probably the best type of auction to get involved in is one that offers an escrow service, where you pay a small fee and the money is held until your goods have been received.

THE MYTH OF SECURITY

Just about any type of scam gets a boost from the Internet, but the web has really opened up a new world of opportunity for credit card thieves. As I so rudely found out, whenever you use your card to buy something online, you’re putting your account at risk. Crooks just love to log on to steal your card number.

One of their primary hacking tactics is “sniffing.” When you type something on the Internet, it doesn’t go straight to the website you’re visiting. Rather, the data gets divided up into what are known as packets. These packets get routed from computer to computer, until they all coalesce at the intended web destination. Criminals will plant “sniffers” on website computers, most commonly those hosting shopping sites, and the sniffers intercept the packets, copy down the information, and then allow the packets to proceed to the website. Packets destined for shopping sites naturally contain loads of credit card numbers, and they’re the sweetest smell of all.

This data then gets relayed to the computer of the criminals, where they sort it out and use it for ill-gotten gains. The whole process is essentially the Internet version of wiretapping.

But the chief way credit cards are stolen with computers is by breaking into the storage computers of sizable e-commerce companies and copying the extensive inventory of credit card numbers housed in their data bases. In late 1999, in the weeks leading up to Christmas, a rather brazen intruder helped himself to an early present when he broke into the computers of CD Universe, an online music store, and swiped more than three hundred thousand customer credit card numbers on file. Identifying himself as Maxim—he told the reporters he communicated with that he was sixteen and from Russia—he e-mailed CD Universe and demanded one hundred thousand dollars. If the website didn’t pay, he threatened to divulge the card numbers on the Internet. If he was paid, he said he would fix CD Universe’s security bugs, destroy the stolen card files, and forget about their store forever.

Well, CD Universe officials refused to respond to blackmail. On Christmas Day, Maxim made good on his threat. He set up a website that he called Maxus Credit Card Pipeline and began listing some of the stolen credit card numbers, adding new numbers on a daily basis. With a click of one’s mouse, anyone who logged onto the site could pick up a credit card number, name, and address.

The website operated for two weeks before some security experts found out about it, and alerted the Internet system that was carrying the site without its knowledge. It promptly shut it down. By that point, however, a traffic counter suggested that a few thousand visitors had downloaded more than 25,000 credit card numbers. Maxim also claimed that he had used some of the cards himself to raise some money.

The e-mail trail on the hacker suggested that he was indeed somewhere in Eastern Europe, making it difficult for American law enforcement to touch him.

Not long ago, someone broke into Western Union’s website and accessed 23,000 credit card numbers and expiration dates. Western Union had to call all 23,000 customers and tell them to cancel their credit cards. These were people who, a week before, had innocently transferred money through Western Union using their cards. You’d think a company the magnitude of Western Union would have a secure website, but it didn’t.

An editor at MSNBC, hearing about hackers wreaking havoc day after day, said that if it’s so easy to break into websites, why can’t my reporters do it? So he told two of his reporters to go home and get online and see if they could download credit card names, numbers, and expiration dates. He assumed it would take a couple of days. They were back within a few hours with 2500 credit card accounts.

The problem is, too many e-commerce companies don’t care if credit cards get stolen over their site, because it’s generally the credit card companies’ problem, and it costs staggering amounts to ensure security. If you’re Bank of America or Citicorp, it’s worthwhile to spend $50 million or $100 million to secure your site. But if you and I are selling outdoor lightbulbs or cheese, we’re not going to spend $50 million. Where would we get it?

WHAT’S BEING DONE

The Internet is so widely considered to be lacking in security, that companies have been forced to conceive of new ways to pay online. Late in 2000, American Express announced what it called a “private payments” service for credit card charges on the Internet. In effect, it’s a disposable credit card. We’ve got disposable cameras and disposable contact lenses, so why not a disposable credit card? The way it works is that a customer registers on American Express’s website, entering a name, password, and account number. Then the customer gets a private payment number that can be used once and only once. When you make a purchase online, you use that number rather than your regular credit card. As soon as the transaction clears, the number is worthless to anyone who gets hold of it. So if you want to send some flowers to Mom, you punch in the number, you’ve got the flowers, and the credit card number is immediately void.

American Express also offers a Blue card. If you order one, the company supplies you with a Smart-Card reader that gets attached to your home computer. It works pretty much the same way that a card reader does at the gas station or department store. The card has to be swiped through the reader, which authenticates purchases only after the correct PIN number is typed in.

Visa has been testing an online verification system of its own. One version goes like this: when you make a purchase over the Internet at a retailer’s website, a tiny window appears on the screen that asks for a password. When you type it in, that password is transmitted not to the store’s site, but to the bank that issued the card. This makes it harder for someone who has a stolen card to use it, because without that password being verified by the bank, the transaction won’t be processed.