|
Sunday, 23 October 2005 |
Imagine a place in cyberspace, not just one place, but hundreds of them, where every day tens of thousands of thieves congregate. Then imagine your financial information - bank accounts and credit card numbers, PINs and passwords - all of it up for sale to the highest bidder. An incredible story, yes. An impossible one? Not at all.
Our story begins in Edmonton with a very low-tech crime: someone broke into Paul Browns truck and stole his briefcase. Inside was a diary full of his financial information: passwords and codes, cheque books and credit card statements -- all of it now in someone elses hands.
"Within about 30 minutes of this happening, we were at the bank," says Brown. "We basically cancelled all our bank accounts instantly."
Brown went back to work at his travel company thinking hed covered the bases. He was wrong. Within 24 hours the thieves were at work, using his information to steal his money. It got so bad, Brown feared he could lose his business.
"It got to the point we actually felt as though wed lost control," says Brown. "We had no access to that information of what cheques were good, what cheques were bad. The credit card payments, we werent sure whether they were legitimate credit card payments, or legitimate credit card charges."
Pauls case ended up with Det. Al Vonkeman of the Edmonton Police Service. But for Vonkeman it turned out to be much more than a run-of-the-mill B&E and identity theft. It was the beginning of a journey into a world he never imagined existed.
According to Vonkeman, a new criminal enterprise was now preying on his city, attracting the likes of Hells Angels and other crime groups.
They were on the Internet now, finding a treasure trove of personal information, and not a very well guarded one. The crooks had begun hacking into company computers, stealing peoples information by the tens of thousands, or simply going online to buy what others had already stolen.
Victims number in millions
Edmonton police werent the only ones discovering this frightening new world. Dan Clements – known online as "Card Cop" – says victims of cyber crime probably number in the millions. Clements runs a Burbank, California-based business specializing in fighting online fraud.
He showed us an Internet chat room with 206 people logged on. "And this is a chat room of basically thieves that are buying, selling and bartering personal information on consumers," explained Clements.
Incredible? Well, multiply it by 300. Thats how many such sites, according to Clements, are up and running at any give time. And it would take him no more than a few seconds to find others like it. "All I have to do is log on. As fast as my computer can boot up, I can find a chat room within 10 seconds and go in there and find this information. Its very, very simple," he says.
According to Card Cop there are 60,000 crooks online from all over the world, stealing, buying and selling your financial information, some of them, barely out of high school.
W-FIVE managed to track down one of them – well call him "Brandon" - who agreed to talk with us on condition we hide his identity. He believes – and the police agree - that the organized crime gangs he was involved with would try to kill him if he went public.
After his arrest and conviction on forgery charges, Brandon gave up hacking but still speaks with some pride about the money he used to make from online fraud.
"Ill give you an exact number that I had access to," he says, "$1.8 million. Thats what I was caught with."
Easy as pie
Brandon started when he was just 16. An addiction to the drug crystal meth was what fueled his crime spree, which started in the back alleys of Edmonton.
Dumpsters were his first hunting ground, and information was his prey - easy prey, as companies, banks, even government offices would throw out documents without shredding them. Then all it took was a phone call to Western Union with Brandon posing as the person whose information hed stolen.
"And they say Hold on one second well check with your bank to make sure all your informations correct, and that was that," he explained. "Easy as pie. And within half an hour, youre going walking down to your local Western Union location and picking up the money."
But Brandon soon found richer hunting grounds online. He claims he hacked into big companies like eBay and Yahoo, and used that information to trick Equifax—the credit agency—into giving him the records of individual Canadians.
"Its just a cheat sheet to do anything you want, you get everything you ever possibly need pretty much," says Brandon. And with that information in hand hed simply apply for loans in the name of the other person.
"When you think that youre safe somewhere, youre not. If youre giving (your credit card number) over the Internet, good luck trying to keep it safe."
In fact, millions of peoples information isnt being kept safe, a hard lesson for Det. Al Vonkeman of the Edmonton Police who admits the police simply cant keep up with the crime.
"Not a chance," he admits. "Were probably fortunate in terms of I think were keeping up with understanding what the new trends are. But keeping up with the all the crimes theyre doing and trying to investigate? No, were not keeping up with that."
The Shadowcrew
Theyre having a tough time keeping up in the United States as well, although the Americans are throwing considerably more manpower at the problem.
A series of raids a few months ago by the Secret Service, which shares responsibility for financial crimes with the FBI, took down a ring of cyber criminals known as Shadowcrew.
"Through this website, people offered to sell and people bought all manner of fraudulent paperwork, stolen credit card numbers. An eBay for crooks is a good way to categorize it," says U.S. Attorney Scott Christie, who headed up the federal task force..
Nearly 4,000 hackers from around the world belonged to this site where theyd log on to sell and buy anything that could be used to commit fraud. The volume of stolen material was staggering.
"There was one Shadowcrew member who had a website. And through this website, he was selling at any given time half a million stolen credit card numbers," says Christie.
But little did the crooks know that from their command centre, the Secret Service was working a source deep inside the Shadowcrew organization who would eventually lead them to the people at the top.
On Oct. 24, 2004, the Secret Service sprang the trap. Across the United States federal agents made 19 arrests – the biggest such bust in U.S. history, and a big shock to the ringleaders.
"They were taunting law enforcement to come after them, believing that they were anonymous, that they were beyond the reach of law enforcement, that they were actually smarter than law enforcement," says Christie.
Shadowcrews tentacles reached well into Canada but from federal officials here - no task force, no national response. In the end, just a few local cops from Calgary and Vancouver took the case, determined to piece together the Canadian connection.
And within a few months, Vancouver Det. Mark Fenton and his partner Det. David Frame were calling a press conference to announce an arrest.
"We found enough equipment that an individual using that equipment who was knowledgeable could produce a fair number of credit cards," says Det. Fenton. "There was equipment there for making false identities."
Lloyd Buckell was charged with two counts of possessing material to make counterfeit credit cards. We caught up with Buckell at his apartment in Abbotsford, B.C. where he denied the charges against him and denied ever having heard of Shadowcrew, saying the charges were all a big mistake.
Police elsewhere in Canada have been picking away at the Shadowcrew gang. But they admit that there are many Canadian suspects that remain at large. That says a lot about how differently the two countries are dealing this type of crime: a huge national response in the U.S., a modest local one here.
Interestingly, the Secret Service approached the RCMP about the Canadian connection to Shadowcrew, but the Mounties passed on the case, handing it over to local city police. We tried repeatedly to ask the RCMP about their apparent lack of interest but the Mounties story kept changing and they refused to talk about it on camera. They did eventually send us a letter, which cited "limited investigative resources". In other words, they just didnt consider it a priority.
So if the RCMP wont do much about it, what are ordinary Canadians to do to protect themselves? Theres very little they can do. The problem is they often dont even know theyve been victimized. Why? Many companies whove been hacked arent informing their customers, and theres no law to force them.
Jeff Burton of the B.C. Crime Prevention Association travels the province speaking about the dangers of identity theft and the need for companies to tell Canadians – and the police – as soon as they discover theyve been hacked. He says many companies arent coming clean because its embarrassing and not very good for business.
"Its bad for business because that could mean that the consumer is going to leave that institution, such as a bank, walk across the street and take his business elsewhere," Burton tells W-FIVE.
"The victim has a right to know whats happened to their information. We have no control over it once we give it up. But its up to them to protect it and prevent any unauthorized access to it."
But unauthorized access is exactly what happened to both Equifax and Trans Union. Remember: these companies store the financial history of virtually every Canadian. If you took out a loan, applied for credit, were late paying a bill, they know about it. While both have told customers about past breaches, neither would talk to us about whether there had been others, or how it could happen in the first place.
More disclosure needed
In Canada, there is no law that forces those companies to tell you when they lose your information to thieves. In fact, on the rare occasions when people are informed, its likely thanks to a law passed in California.
State Senator Joe Simitian put that law together. He says that in California, companies just werent telling people about their information being stolen. After his law was passed, that all changed.
"I think disclosure is the starting point. Without that, nothing else follows. You cant protect yourself if youre not aware of the fact that youre at risk," Senator Simitian tells W-FIVE. He says hed like to see similar laws right across the United States and Canada.
"Its a little like a fender bender. Sooner or later, all of us are going to have the experience. And for the people who have that experience, its usually far worse than a fender bender in terms of its impact on your life."
A disclosure law is being considered in Ontario, but on the federal level, virtually nothing. We spoke to the man responsible, Industry Minister David Emerson, who admitted he didnt really know how many Canadian companies have been breached or how many Canadians have had their information stolen.
"We dont know with precision, let me put it that way," said Emerson. "We know in an approximate way."
Though Emerson admits the impact of the crime is huge, he also says the legislation just isnt a priority for the governing Liberals. But not to worry, he says, most companies will do the right thing.
"I would say that there are many more cases of companies who have properly notified their customers than there are companies who have not," says Emerson.
But, Emerson admits, he doesnt know for sure.
From the politicians, businesses and the police comes limited information and a limited response. Its simply not a priority. Meanwhile, night and day, week in and week out, tens of thousands of crooks are trolling cyberspace, just like Brandon used to, in search of your information.
"Its everywhere. Its absolutely everywhere. When you think that you are safe somewhere, youre not. If you are giving it over the Internet, good luck trying to keep it safe." |
|
|
