The Art of the Steal (19 page)

Even though the phony machine was real in appearance, it did take a certain leap of faith for customers to actually try to use it. Or perhaps I should say, it took downright gullibility. After all, the machine wasn’t tucked into a wall the way real ATMs are. Instead, it just sat there on wheels, outside one of the mall’s busier department stores, looking like it was still waiting to be installed. There was no bank name inscribed on it, just a few stickers affixed to it advertising various ATM networks.

And the machine never spit out any money, even though one of the thieves, posing as a repairman, spent an awful lot of time crouching next to it, doing his best to look like he was industriously working on its mysterious problems. Again and again, he would pronounce it fixed, and yet it never was. But he was a nice-looking young man, and he sounded persuasive. “I think it’s fixed now, c’mon and try it,” he would invite people. “I think it was a problem with the dedicated phone line.”

Incredibly enough, more than a hundred and twenty customers went ahead and gave the machine a try, much to their subsequent regret. There was a man who sold Nordic Trak equipment who worked nearby. He’d notice customer after customer using it, never once getting any money. He’d see that same persistent repairman constantly at work on it, never seeming to make any headway. So what did he do? He went ahead and swiped his own card in the machine. A few days later, two hundred dollars was missing from his account.

The machine remained in the mall, standing on its wheels, for a full two weeks, collecting more and more card numbers and PINs. By the time the authorities finally caught on to what was transpiring, after customers complained about missing funds, the crooks had gotten away, and so did the machine. Apparently deciding enough was enough, the two men came in one day and loaded it onto a white truck. They informed the mall that it had to be taken in for repairs.

It was unclear how the thieves got their hands on the bank machine. It was speculated that they bought it on the used ATM market. Or they might have stolen it. Not that long before, there had been a wave of thefts in New England, during which a band of robbers wrested bank machines off of their foundations and took them away in trucks. In actuality, though, there are companies that make portable ATMs and will gladly sell them to anyone who wants one. You’d be amazed at the things that the general public can buy. There’s only one state in the country, Oklahoma, that doesn’t allow just anybody to buy a pay phone.

The Connecticut thieves managed to realize more than one hundred thousand dollars from their audacious crime. What tripped them up was they made the mistake of using their counterfeit cards for withdrawals in Manhattan bank machines. New York has a law requiring cameras on every teller machine. By inspecting photographs and withdrawal records, the police apprehended the two men about a month later. One of the thieves was a computer specialist. The other had a background in finance. When they were arrested, the authorities discovered that they had five ATMs, including the one used in the Connecticut caper.

There have been other extravagant variations of the open-your-own-ATM scheme. In a number of instances, a criminal has ventured into hotels, asked to see the manager, and introduced himself as a representative of a business that installs ATMs in commercial locations. He outlined a deal where he would put a portable machine in the hotel’s lobby. Every time a guest used it, his company would collect a service fee of one dollar fifty cents. He’d give one dollar of that to the hotel. It’s a deal that sounded great. The hotel would have a new convenience to offer its guests, and not only would it cost the hotel nothing, but also the hotel would make money off of it. So the manager said, go ahead, put it in.

The criminal rolled it in, and unlike with the mall caper, he loaded it with $1,500 so it functioned like a legitimate machine and actually dispensed cash. He didn’t mind this little investment, considering the returns he anticipated. His machine wasn’t connected to a bank phone line, either. It was simply registering card numbers and PIN numbers to allow counterfeit cards to be generated.

So don’t be fooled into thinking a machine must be real if it dispenses money. Criminals aren’t that cheap. They’re perfectly willing to invest some cash if the returns are much greater, as they inevitably are in scams like these. I’m always mistrustful of portable ATMs, and use them only if I have no alternative. When I go to a stand-alone machine, though, I always take a look behind it to see if it’s connected to a phone line. If it isn’t, it’s a fake.

JUST SKIMMING ALONG

The latest approach to ATM theft is skimming. Skimmers similar in function to the ones I spoke about for credit card fraud are specially manufactured for ATMs. Criminals fit them over the card slot on a standard ATM, and they have a magnet in the back that holds them in place. The skimmer is motorized, so that when you put your card in, the motor nudges the card along so it actually penetrates the real hole as well. That allows the machine to function normally. But while the card passes through the skimmer, your card information is stored on its chip. At the end of a day, the criminal retrieves his skimmer, as well as dozens of account numbers and PINs.

Anytime you notice something protruding from an ATM, be suspicious. The card slot should be flush. Someone I know once encountered a skimmer, yanked it off the machine, and went in and handed it to a bank officer. “You might be interested in this,” he told him. “I found it on your machine.”

WHAT TO DO

It’s the simple things that can prevent you from becoming a victim of ATM fraud, and so let me review the key safeguards to keep in mind. Never give out your PIN to anyone, especially someone who maintains that he’s a bank officer or a security guard. All a crook needs is your card and your PIN, and he can go to town. If others are waiting in line behind you to use the ATM, don’t be lackadaisical, and block the keyboard when you enter your PIN. Some banks have redesigned the ATM keyboard or enclosures to make it particularly difficult for an observer to watch the cardholder punch in his PIN, but even then you need to be watchful.

Never write your PIN on your card or on a piece of paper that you keep in your wallet or purse. I know some people who put it on a little sticker and attach it right to their ATM card. That’s credit suicide. If your ATM card is lost or stolen, immediately report it to your bank so that card can be disabled. Crooks move fast, and you need to move faster.

Don’t consider using an ATM unless you’ve checked out the area carefully. If people seem to be loitering by the machine, don’t assume they’re there for innocent purposes. And check across the street for people with cameras or binoculars, those long-distance surfers I mentioned. If something about an environment makes you uneasy, err on the side of caution and come back later or use another machine.

If you feel threatened while processing a transaction, press the “cancel” button and leave the area. If you sense someone is following you, drive to the police station or nearest business with a lot of people around. Once you’re done getting your money, don’t just stand there at the machine and count your cash, advertising your withdrawal. Put it away, leave the area, and count it once you’re in your car or back in the office.

The receipt that gets spit out of an ATM machine is a nice convenience for the customer. It’s also a great convenience for the criminal. It has part of your account number on it and how much money is left in your account. In some cases, it even has your PIN. Until a few years ago, federal law mandated that ATM receipts had to carry your full account number on them. That made it too easy for crooks. I was among those who testified in behalf of a change in the law, known as Regulation E. It was finally changed, and now receipts only have to carry half of an account number.

Even so, don’t throw away your receipts at the ATM machine in those receptacles banks (or crooks) put there. Criminals retrieve them and use even fragments of information to carry out shoulder surfing scams. Rip the receipts up before you throw them away, or take them with you. If you’re going to leave them behind, you might as well leave your bank card, too. When I use an ATM, I always choose the option, “No receipt.”

All ATM cards have a daily limit that prevents the cardholder or any other user of the card from withdrawing more than a certain amount of money in any one day. Cardholders, however, are seldom aware that certain banks allow a cardholder to go into the bank and withdraw larger amounts on the card using only the PIN and card. No further identification or signature is required at these banks. This allows a thief who has a person’s card and PIN to withdraw the maximum allowable at the ATM and then, after checking the account holder’s balance, to go into the bank and withdraw additional amounts at the teller. If my bank did that, I’d have them put the same limit on a teller withdrawal, unless further identification is furnished.

And here’s some advice about PIN numbers: be a little bit more inventive in your choice of number. Surveys of our habits are interesting fodder, but—guess what—criminals read surveys, too. They know that 70 percent of people use their birthday or their street address as their PIN. If a thief gets hold of your purse or wallet, he’s got your street address. If it’s a four-digit address, that’s probably your PIN. Any number of cards in your wallet will have your birthday. Another common choice is the first four digits or the last four digits of your Social Security number. Thieves love that, too. Use an easy-to-remember number that’s not tied to you, a number that isn’t going to be found on any piece of personal identification. I have three sons, and so I use their birthdays for my PIN numbers. I never forget my kids’ birthdays, and yet no one can find those dates on anything in my wallet.

LEAVE MY EYES OUT OF IT

Because PIN numbers are the weak link in the system, there’s been a lot of discussion about doing away with them. The hot new technology for ATMs is biometrics, which is the statistical measurement of biological phenomena. An array of devices have been invented that will identify people through physical characteristics, whether by hands, faces, voices, eyes, or even smells. One of the most promising is a machine that identifies you by your eye. When you insert your bank card, a pea-sized camera locates your face, homes in on the eye, and snaps a digital image of your iris. It can do this from as far away as three feet. The computerized “iris code” then gets compared with one that the customer furnished to the bank. If the two codes don’t match, the ATM won’t work. The entire process takes not even two seconds.

The key to mass deployment of these systems is that they work no matter what contingencies arise. For instance, face recognition systems get foiled when a man grows a beard or a woman dyes her hair. If someone puts on a significant amount of weight and his face gets pudgier, that alone will throw off the machine. But the iris systems work, even if a customer wears glasses or contact lenses. They work at night and in dim lighting. Face recognition systems are thwarted by twins, not that theft by one twin against another is one of the world’s major crime problems, but even twins have unique irises.

Fingerprints can change from injury or deliberate alteration. But not irises. From the time someone is about eighteen months old until a few minutes after they die, their iris is unchanging. For the purposes of an ATM machine, that’s plenty of time. And you can’t fool the machine by holding aloft a picture of the cardholder. The first thing the camera checks is whether the eye is pulsating, and thus alive. If the camera fails to detect blood flowing through the eye, then it concludes that it is looking at a picture or at someone who’s dead.

It’s fascinating technology, but I’m personally against these devices. I just think the whole idea is ridiculous. We’ve given up enough privacy in this modern age, so why should we be asked to give up anymore? The bank has enough information on its customers. Now it’s saying that it wants them to give up their irises? For what? Something they’re not even liable for. The most that crooks can normally take from one account is a couple of hundred dollars, and it’s the bank’s problem if it happens. So my feeling is, why insult your customer?

8

[THE
CYBERTHIEF
]

N
ot long ago, I was faced with a real dilemma. One of my sons had a birthday coming up, and he wanted a guitar he’d seen on eBay. That particular guitar, and no other. I know that eBay is part of the pulse of daily life for many consumers, who regularly log onto the auction site to buy everything from car tires to knight’s helmets. But it isn’t part of my life. The Internet frightens me. I think it’s a wondrous invention and there are many things I love about it, but it unnerves me because of all the possibilities for fraud. A firm rule of mine is never to buy anything over the Internet with a credit card, and I tell my wife and kids the same thing. I just don’t trust the feeble amount of security that’s been incorporated into most websites.

But now there was this guitar and my son’s birthday. So I logged onto eBay and found the guitar. In order to purchase it, I had to go to a feature called Pay Pal. It required that I enter my credit card number. Given my convictions, I was very reluctant to do that, but I was even more reluctant to disappoint my son. So I went through the drill and typed in my MasterCard number and expiration date. Just as I was about to complete the transaction, I got panicky and had a change of heart. I pressed cancel. I’m not going to do this, I told myself. It violates all my principles. I signed off, unaware of my impending fate.

Fortunately, eBay tells you how to contact the owner of any item offered on its website, and so I sent an e-mail to the guy who was selling the guitar and asked him to call me. When he did, I talked to him for a bit and felt comfortable that he was legitimate. I told him I’d like to buy the guitar, but I wasn’t going to give out my credit card on the Internet. I said I’d send him a cashier’s check for the amount, and give him my Federal Express number so he could ship it to me. He agreed, I got the guitar, and my son was delighted.

Soon after, I received my MasterCard bill in the mail, and there was a two hundred fifty dollar charge from Pay Pal. I called and said that I hadn’t bought anything. They told me to write a letter contesting it and they’d remove the charge. Then a package arrived at my house addressed to me. I opened it up and it was some ski pants. I hadn’t ordered any ski pants. I didn’t even recognize the company.

I called them up and was told it was an Internet purchase made on my MasterCard. I explained that I would never buy anything over the Internet. Obviously, someone had gotten hold of my credit card number, and the only way he could have done it was through that Pay Pal entry. Okay, the guy said, just put the pants in the box and send them back and I’d get a credit. I asked him why someone would use my credit card to buy something and then ship it to me? What probably happened, he said, was it was someone in my area. Most people are at work when packages arrive, and they get left on the porch. Thieves will order them, find out when they’re to be delivered, and then steal them off the porch. Another possibility was the thief tried to have it delivered to a different address, but as a precaution, this company only shipped merchandise to the billing address on the card. Not wanting to arouse suspicion, the thief probably allowed it to be sent anyway. What did he care? He wasn’t paying for it.

Once I got off the phone with the ski pants company, I called MasterCard and alerted them to the shenanigans with my card. The representative checked my account activity. As of that moment, it showed purchases of $3,600, none of which I had made. They were all Internet purchases, since there was no need for a signature or anything. My card was canceled, and I had to send a notarized affidavit attesting that those were not my charges.

So here I was, one more victim of Internet fraud. The sole time in my life that I used the Internet to attempt to buy something, and just for a minute, I got scammed. I never even completed the transaction, and yet my card number was preserved on the site and someone got hold of it. If this happened to me, who’s constantly on the alert for swindles, it shows you how vulnerable computers have made us.

THE PORTABLE THIEF

There’s no question about it: the Internet is a criminal’s dream come true. Forty million people use the Internet every day, and to a thief, that translates into the ability to cheat an immense number of people all at the same time. Estimates are that more than 5 percent of Internet transactions are fraudulent, compared to less than half of one percent for brick-and-mortar retailers. Every day, thieves are sitting before their terminals, trying to break into somebody’s system, working on that way to bypass security.

With the Internet, a thief doesn’t need to come to your business or your home to steal from you. He does it by computer. A con man normally had only the ability to reach people through the medium of himself, and so he could only cheat a limited amount of people in a small area. Back in my days pushing bad paper, I was constantly on the move, and I had to be. Part of the reason was to evade capture, but also I needed to find new victims I hadn’t yet fleeced. A con man today never has to board a plane. Using the Internet, he can deceive people all over the world, without having to talk to them. He doesn’t even have to get dressed.

When it comes to fraud, appearance used to matter. When I started doing check forging, I was sixteen, but I was over six-feet tall. I looked like an adult, and I was able to act the part. If I’d been a bashful, pimply-faced teenager, there would have been no way I could have gotten away with what I did. But with electronic fraud, you don’t know who the criminal is. You can’t see him or her, because the person is sheltered by the technology’s anonymity. You have literally opened yourself up to millions of criminals, and not only domestic ones. When you’re on the Internet, you don’t know if you’re dealing with someone from Nigeria, Syria, Hong Kong, Malaysia, or Buffalo. And have you ever tried to get a refund from another continent? You won’t enjoy the experience.

Computer crime, or cybercrime as it’s called, is one of the newer forms of fraud, but it’s a tremendous growth industry. One of the frightening things about fraud with computers is the speed at which it happens. When people use the Internet, they talk of going on “Internet time,” meaning that everything transpires at warp speed. Well, criminals like Internet time too. A well-executed bank robbery, the physical stealing of the money, is going to take a half-hour, easily. With an electronic heist, we’re talking a couple of milliseconds.

So much about computers make me uncomfortable, because they’re the doorway to limitless amounts of money. Money is continually transferred electronically between banks and financial institutions, trillions of dollars a day flying around the world as electronic pulses. If a hacker slips inside a bank’s computer, he can commit bank robbery of unprecedented proportions, with a mouse rather than a gun. Here’s a statistic that shocks even me: only 6 percent of all websites are considered secure by experts. That means that 94 percent aren’t. The 6 percent are almost all big financial institutions, because they’re the only ones willing and able to spend the money to do it. It can cost at least $50 million for a bank to secure a website. Every day, ten thousand new websites are added, 94 percent of which are not secure. Despite this, most of us fail to acknowledge the fact that the computer is like a weapon. For the purposes of robbing someone, it’s the same as a gun. The only difference is semantics. With a gun, it’s called armed robbery. With a computer, it’s called white-collar crime.

THEY SHOULD FRISK FOR A MOUSE

Computers have become such a potent weapon that in 1999, the U.S. Parole Commission made some telling changes in its rules. High-risk parolees can now be restricted from using computers and the Internet without written approval. In other words, don’t just keep guns out of the hands of repeat offenders; keep these guys away from the computers.

And for good reason. In 1994, Vladimir Levin, a thirty-year-old Russian payroll programmer with thick glasses, used a rather primitive computer to steal $10 million from Citicorp’s wealthier customers. With the help of some confederates, he managed to transfer the money into accounts with phony names scattered among obscure banks in the Middle East, Europe, and elsewhere. Then accomplices would go in and withdraw the sums. A stool pigeon ultimately turned him in, or he might never have been caught. He was arrested when he left Russia to go to London for a computer exhibition. Levin was generally considered to be the first online bank robber, and his theft was the largest computer crime on record.

As Levin’s crime illustrates, a big difference with electronic fraud is the quantities involved. With regular fraud, the amounts are often fairly small and only add up over time. With electronic fraud, we’re often talking about losses of millions of dollars in each caper. The FBI says that total losses from computer-related crime exceeded $250 million in 2000, double what they were in 1999, and since so much of it is under-reported, it could be in the billions.

Unfortunately, law enforcement has not kept pace in its training of agents in how to combat computer crime. One recent study of cybercrime found that only a tiny amount of the federal government’s law enforcement budget is spent on computer-crime training and staffing. Many police officers don’t even have e-mail.

Incidentally, outright theft of computers—the actual machines themselves—is itself a big problem. Security experts say computer theft is now second only to auto theft, and it’s much easier getting your car back than your computer.

HACKERS AND CRACKERS

If you have any doubt about the seriousness of electronic theft, think about this: six out of ten American companies and government agencies have been hacked so far, including the FBI, the CIA, the Secret Service, and the White House.

A twenty-year-old computer hacker confessed to breaking into two computers of the National Aeronautics and Space Administration (NASA) that were normally used to design satellites and for e-mail and internal functions. The hacker installed a program onto the computers that allowed him to host a chat room. On his chat room, he advised people to visit a particular pornographic website, and he earned eighteen cents for each visit someone made to it. Before long, he was making three hundred dollars to four hundred dollars a week.

A sixteen-year-old Miami boy broke into computers of the Defense Department and NASA, downloaded software, intercepted messages, stole data, and caused some of the computers to be shut down for three weeks. He repeatedly penetrated computers that monitor threats to the United States from nuclear, biological, and chemical weapons, as well as traditional arms. Too bad they didn’t monitor attacks from sixteen-year-old hackers. Fortunately, the government said none of the affected computers was related to the command and control system, so the kid wasn’t on the brink of launching a rocket or knocking a satellite out of orbit, but I hear these things and have to wonder, what’s next?

A few years ago, a band of German hackers wrote their own Microsoft ActiveX control. The control designed by the Germans made a slight adjustment in the popular personal-finance program Quicken. Whenever the user paid a bill online using Quicken, he would also make a small contribution to the account of the hackers. Stealing money a small slice at a time like this is known as a “salami” attack, and a computer can make a lot of salami.

There’s so much invasion of computers that distinct subcultures have emerged. The term “hacker” is now most commonly used to refer to teenagers who break into computer systems for kicks, the way kids of earlier generations smashed eggs on windshields or did graffiti. It gets them bragging rights among their peers. To them, bringing down the computer network of the Joint Chiefs of Staff is the same as playing Donkey Kong. After a sixteen-year-old boy was caught prowling in government and business computer systems, he explained, “All the girls thought it was cool.”

Full-fledged thieves who invade computers as a profession are referred to as “crackers.” There’s quite a robust underground market in cracking. Adept crackers can command ten thousand dollars and up for breaking into a corporate website, and just as baseball players arrange bonuses if they hit a certain number of home runs or pitch so many innings, they merit bonuses for stealing trade secrets or doing damage to a competitor’s computer system.

THE PROGRAM THAT LAUNCHED
ONE THOUSAND SCAMS

We all learned how the Greeks won the Trojan War by concealing themselves inside a large hollow wooden horse that got them into the walled city of Troy. The simplest method crackers use today to invade a computer is a piece of software that operates by a similar deception—a Trojan Horse program.

Just like with the real Trojan Horse, a Trojan Horse program has two functions operating simultaneously, one that you see and one that you don’t. It does something overtly innocent like demonstrate a game, show a greeting card, or offer an mp3 song. But while that benign activity is going on, something insidious is happening. Basically, the criminal dupes you into running something whose exclusive purpose is to burrow its way into your computer without you knowing about it.

Trojan Horse programs take different forms, and you can find dozens of them offered free right on the Internet. One common scam works like this. The criminal sends you an ordinary e-mail. It’s easy enough to find out anyone’s e-mail address through a routine Internet search. The e-mail says, “Hey, how you doing? Want to see something cool?” and contains an attachment. The key is the attachment. When you open it, there might be a game demo or some little piece of entertainment. You watch it and have a few chuckles. But invisibly embedded in that demo is a Trojan Horse program known as a keystroke recorder, whose subcommands instruct the computer to record everything the user types on the keyboard. That information then gets sent to the computer of the criminal. He now knows your passwords and account numbers, and your credit is at his disposal. These programs were originally designed so employers and parents could check on what their employees and kids were up to, but like so many legitimate ideas, they’ve been put to alternative, malicious purposes by thieves.