WASHINGTON—Federal agents are in a familiar position as they probe the computer-security breach at an Arizona firm that left credit-card data for some 40 million people open to theft: Once again, they're playing catch-up.
Faced with the vastness of cyberspace, the technical prowess of the thieves and the runaway pace of technology, finding the culprits is no simple matter.
"Unfortunately, the nature of cyber crime, and identity theft, is such that law enforcement will probably always be involved in a game of catch-up," said Paul Luehr, Minneapolis-based vice president for Stroz Friedberg, LLC, a national computer forensics and consulting firm.
The decline of face-to-face cash transactions and the growth of Internet commerce have made credit-related data thefts a regular occurrence and a high priority for federal law enforcement.
In the Arizona case, little is known about whether criminals are using the information that computer hackers stole from CardSystems Solutions, a credit card-payment processing company. But unconfirmed reports from Japan say that at least $1 million in fraudulent credit card-charges have been linked to the security breach. Officials at CardSystems declined to comment.
The break-in is the latest in a string of similar lapses that have left personal information for 58 million Americans—such as Social Security numbers, credit card numbers and addresses—vulnerable to theft.
Identity theft, in which such stolen information is used to obtain credit and make purchases in the victims' names, is the nation's fastest-growing crime. Losses from identity theft total $5 billion for consumers and $48 billion for financial institutions, according to a recent Federal Trade Commission study.
In response, the FBI, Department of Justice and Secret Service have beefed up their computer crime-investigation units. But experts say federal investigators have a tough row to hoe.
Computer crimes often are difficult to solve. Doing so can take years, and cyberspace provides criminals with anonymity and many ways to cover their footprints.
The technology changes so quickly that by the time criminal activity has been discovered the suspects may have moved on to different crimes and methods. Computer forensic evidence can disappear in days, leaving investigators with a cold trail.
And because the crimes are often carried out by organized gangs in Russia, Central Europe and Africa, the geographical, jurisdictional, language and legal barriers are sometimes insurmountable for U.S. law enforcement.
"Being so far away with so many physical boundaries helps hide them over there and it makes it tougher to track them down," said Mike Gibbons, the vice president for federal security services at Unisys and a former head of FBI computer-crime investigations.
To handle these obstacles, FBI investigators are required to have extensive cyber-crime training. But agents who have that expertise often are called on to assist in other cases, which cuts into their cyber crime work.
"In some cases, to actually do the forensic exam, it can drag out because they do have to prioritize cases and sometimes lower level investigations may get backed up. So in many of these cases there is not a rapid turnaround," Gibbons said.
Corporate America's complacency about computer security is a problem too, said Gary Morse, the president of Razorpoint Security Technologies, a New York City consulting firm that breaks into the computer systems of Fortune 500 companies to find weaknesses before hackers do.
When he was asked to grade the security of U.S. consumer credit and personal information, Morse said it was "bordering on a failing grade."
"You're talking about stock exchanges, banks, ATM machines. We work in the companies. We're there all the time. They don't have the processes in place," Morse said.
He cites, for example, the recent loss of computer tapes containing the personal information of 3.9 million customers of CitiFinancial, the consumer finance division of Citigroup. The tapes were lost while United Parcel Service was shipping them from a data center in New Jersey to a credit-reporting bureau in Texas.
"Who decided that was a good process?" Morse said. "What does it cost to have a private messenger or an employee to get them a car service to take them from point A to point B?
Morse said more businesses must view computer security as a management issue before things would change. "It should be top-down. It shouldn't be the computer guy who's running around fixing printer jams. Unfortunately, that's what we see."
Nessa Feddis, the senior federal counsel at the American Bankers Association, disputed Morse's view of the security of electronic data and said fraud was down from last year among the major credit-card issuers.
Lynne Strang, a representative of the American Financial Services Association, said data security had improved but remained an imperfect science.
"There's still a lot of clever people out there who keep finding new ways to crack the system, so it really becomes a challenge to stay a step ahead," Strang said.
In the case of CardSystems Solutions, the culprits probably compromised a server or servers on the company's computer network, Morse theorized: "Once they had access to the machines, I'm guessing they simply elevated their privileges to `administrative' or `root-level' users and simply copied the files from one machine to theirs."
Investigators in the case probably began with background checks on company employees. "It's the logical place to start," said Luehr, of Stroz Friedberg, LLC, a former federal prosecutor who specialized in computer cases. "One thing that remains fairly constant within the world of fraud is the problem of the insider."
For instance, a former help-desk employee at a Bay Shore, N.Y., software firm is serving 14 years in prison for selling more than 30,000 individual credit reports for $30 apiece. In his job at Teledata Communications Inc., which provides software to banks, Philip Cummings, 35, had access to passwords and codes used to download credit reports. The information was used to obtain credit cards on which thousands of fraudulent charges were made. The scheme involved more than 20 people and caused losses of $50 million to $100 million.
If employee wrongdoing is ruled out in the CardSystems case, many experts said, the next obvious suspect is organized crime, possibly based overseas.
While it's difficult to track and apprehend such groups, it's not impossible.
In October, federal agencies broke up a suspected international identity-theft ring whose members allegedly sold at least 1.7 million stolen credit numbers, causing more than $4 million in losses for banks and credit card companies.
In March, federal law enforcement agencies broke up a suspected international software-piracy ring and conducted searches and seizures in Belgium, Denmark, France, Germany, Hungary, Israel, Great Britain, the Netherlands, Northern Ireland, Singapore, Spain, Sweden and the United States.
But like roaches after a nuclear attack, organized gangs are resilient and tough to stop. "You can put five in jail and three more may come back," said Gibbons, of Unisys. For example, Scotland Yard arrested several Russian gang members in 2004 who were accused of shutting down a British Internet gambling site and trying to extort $30,000 to get the operation running again.
"I talked to the chief operating officer of one of those sites and he said they had to spend about $20 million on their infrastructure so that they weren't vulnerable anymore ... but they still saw, every once in a while, similar kinds of (attempted) attacks," Gibbons said.
Fortunately, the software improvements fended off the hackers. "He feels they're probably moving on to other gambling sites, like the ones in the Caribbean," Gibbons said.
(c) 2005, Knight Ridder/Tribune Information Services.
GRAPHIC (from KRT Graphics, 202-383-6064): 20050629 IDENTITY THEFT
Need to map