Computer Crime Research Center


Credit card breach: Tracing who dunnit

Date: September 21, 2005
By: Jeanne Sahadi

Snagging hackers is tougher than it may seem.

NEW YORK (CNN/Money) – News that hackers broke into the database of payment processor CardSystems, which contained information on over 40 million credit card accounts, raises the obvious question: Who did it?

The FBI is investigating and doesn't discuss cases that are pending. But if recent history is any guide, there's a fair chance the hackers may not be caught, or not anytime soon.

Not that there haven't been notable successes for law enforcement.

Since last October, for example, 28 members of Shadowcrew have been indicted. Shadowcrew operated one of the largest illegal online sites that facilitated malicious hacking and identity theft by selling such key identifiers as Social Security and debit card numbers.

Still, compared with the number of breaches that occur, "the prosecution rate is very low," said Robert Richardson, editorial director of the Computer Security Institute.

That's not because law enforcement isn't doing its job. It's because the trail of sophisticated hackers is often complex and far-reaching, usually involving more than one country.

Where in the world are they?
It's hard to catch a thief when you can't even pinpoint his general location on the globe.

"Almost all these cases have an international dimension. The Internet doesn't have borders," said Christopher Painter, deputy chief of the Justice Department's Computer Crime and Intellectual Property Section.

Competent hackers know how to hide their identities and route their mischief through several different computers, and often through several different countries.

There is a belief that many hackers are located offshore. But "when people say there are a lot of offshore hackers – it's really just a guess based on technical analysis of server logs," said Andrew Jaquith, a senior analyst of security solutions and services at the Yankee Group.

Wherever the hackers' home base, their goal is "to cross international boundaries so the victim country's cybercrime squad will be faced with issuing international warrants abroad," Richardson said.

Law enforcement efforts have been strengthening internationally:

Operational cooperation between authorities in the United States and other countries has increased.

The Department of Justice plays an active role in the high-tech crime policy committees of groups like the G8 and APEC.

The Patriot Act has expanded the tools available to U.S. authorities to fight cybercrime.

And 42 countries have signed the Convention on Cybercrime, the first international treaty to put forth recommendations for fighting cybercrime, although to date only 11 of those countries have ratified it.

Still, hackers know that not all countries are on the same page.

Their best bet to escape prosecution, Richardson and others say, is to operate through places that have more lax law enforcement. Some hotspots have been in Eastern Europe, Russia, Southeast Asia (with the exception of Singapore) and possibly China.

But hackers don't limit themselves geographically. "It only takes a couple of hackers to put a little country on the map," Richardson said.

Prosecution is not impossible, but international cooperation is key. When a cybercrime is originated abroad but committed against a system in the United States (or is routed through computers in the United States but committed against an entity abroad), "we have jurisdiction over that ... but it doesn't mean (the criminals) need to be prosecuted here," Painter said.

That is, the country where the cybercrime originates or through which it is routed may first charge and prosecute the criminals. For example: a Canadian teenager known as "Mafia boy" launched widespread denial-of-service attacks that shut down leading U.S. sites such as, and eBay back in 2000. He was arrested and charged by Canadian authorities, who worked in cooperation with U.S. authorities who traced the attack to Canada.

Preserving hackers' footprints is hard
The quest to capture evidence on a hacker is also problematic.

For one thing, countries have different rules regarding how long digital information must be kept. That's why, Painter said, "you have to act very quickly."

Plus, Richardson said, "an awful lot of cases have been blown right at the instant they're discovered – not intentionally but because security professionals are not trained in how to preserve evidence."

Their first instinct once a problem is detected is to get rid of it or to go into a suspicious file, which can change the time stamp on that file. "Then there goes one strain of evidence," Richardson said.

Who are they?
Further complicating the hunt for hackers is their changing profile.

It used to be most hackers weren't in it for the money so much as intellectual bragging rights. And if they worked in cahoots, it was in loosely organized groups.

That's less the case today.

"Now we're definitely seeing a new paradigm," Painter said. "It doesn't mean the lone-gun hackers are gone," he added, but organized cybercrime rings and hackers-for-hire are becoming more prevalent.

There are different categories of hackers, Jaquith said, such as:

The revenge hackers: Most typically disgruntled insiders who want to disable their employers' systems.

The opportunistic hackers: Those who work for criminals for a fee, or a company insider who is paid in exchange for access to a company's systems.

The just-for-kicks hackers: Computer geeks testing their technical prowess.

No one has illusions that hackers or computer breaches can be eradicated. "Any organization of reasonable size is going to be attacked," Richardson said.

But it's getting to a point where cybercrime is less the scary new monster than an inevitable burden like brick-and-mortar crimes. "The online world is not that different than the physical world. There are risks in both," Painter said, although he added that the challenges of combating cybercrime are different, most notably because of its international scope. "We need to be able to recognize it's a threat and deal with it."

While there are fears that consumers will curtail their online activities as news of system breaches becomes more prevalent, Painter doesn't think so, assuming companies demonstrate they're doing all they can to minimize security breaches.

By way of example, he notes that Los Angeles was once considered the bank-robbing capital. But, he said, "No one stopped banking because there were bank robberies."
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo