The U.S. Federal Bureau of Investigation (FBI) issued a warning earlier this month about computer hackers targeting American enterprises that do business over the Internet. More than 40 U.S. companies were identified as victims, with a total of over a million credit card numbers stolen. According to the FBI, most of the damage appears to be the work of hackers from Russia and Ukraine. RFE/RL's Nikola Krastev reports from New York on efforts to combat the troubling new levels of computer hacking.
New York, 22 March 2001 (RFE/RL) -- A hacker from Russia using the name "Maxus" made headlines last year when he broke into the computer system of a U.S. retailer, stole 300,000 credit card numbers and demanded a ransom for their return.
The company, CD Universe, refused to pay the ransom, estimated at more than $100,000. As a result, credit card numbers of thousands of the company's clients were soon being publicly posted on anonymous web sites.
Hackers from Eastern Europe and the former Soviet Union -- particularly from Russia and Ukraine -- had already made a name for themselves in the United States. But the demand for ransom put "Maxus" -- who was never caught -- in an entirely new category of cyber-crime.
That incident -- and a warning issued last week by the Federal Bureau of Investigation -- reflect a growing worry that hackers are becoming a serious threat to businesses and consumers. Security experts tell RFE/RL that some of the hackers are considered dangerous and sophisticated criminals who often prefer to work in teams.
Jeanne Capachin, an analyst at the Massachusetts-based Internet security firm Meridien Research, explains how the nature of computer hackers has changed in recent years:
"The other thing is that there seems to be more malicious intent this time, where they're looking to blackmail the companies rather than just [do] what some of the hackers do -- just identify the holes and [maybe] go on from there. But these guys -- they are actually trying to damage the reputations of some e-commerce companies."
Other analysts say that hackers involved in the penetration of U.S. e-commerce businesses tend to team up in order to use the specific talents of each of their members for particular types of Internet fraud. Elias Levy, of the online security watchdog SecurityFocus.com, describes the system:
"That type of association in hacker groups is very common. You'll find four or five or up to 10 or more hackers. They get together and just act loosely as a group. For example, some of them may 'skill' credit cards, some of them may 'skill' breaking into systems, some of them may specialize in one type of system or another, and by working together they pool their talent."
While credit card fraud is as old as the credit card business itself, the frequency of illegal charges in online transactions has increased along with the growth in e-commerce.
A recent study by the Washington-based consulting firm McConnell International has found that Russia, Ukraine, and other countries in the CIS and Eastern Europe lack effective laws for fighting computer crime. The study concludes that lack of legislation has made these countries a hub of electronic fraud -- and has undermined their participation in the growing Internet economy at the same time. Russ Cooper, an Internet security expert, tells RFE/RL that hackers based in the CIS and Eastern Europe are not necessarily more sophisticated than their Western counterparts. But, he says, they seem to have much less respect for U.S. law:
"Well, they probably feel it's less likely they're actually going to be extradited and prosecuted. If I am a U.S. hacker, I have a pretty good idea that I can probably be tracked. They [the FBI] can probably track the Russian hackers as well, but the next problem is -- how do you get them from there to here? Look what happened to the guy in the Philippines with the 'I love you' virus."
Last year's so-called "Love Bug" case demonstrated how traditional legislation was unprepared to cope with online fraud. A 24-year-old student from Manila, Onel de Guzman, caused hundreds of millions of dollars damage worldwide by sending out a virus that destroyed files and stole email passwords. He was able to avoid prosecution as Philippine officials scrambled to create appropriate laws on cyber-crime.
But some analysts say that even improved legislation and security standards will not spell an end to the problem of Internet fraud. Cooper says the problem is that the people creating Internet security systems and the people trying to break into them are very often the same. He adds that the issue is complicated by the significant payoffs made possible in cyberspace:
"Credit card theft is a big thing in the physical [that is, non-cyber] world as well. The results are much greater if a successful attack is made on the Internet than in the physical world. If I pickpocket your wallet, I get one credit card number, maybe a dozen, whatever. If I break into a big website, I might get 150,000 credit card numbers. So, obviously the reward is much greater and, certainly, there's no doubt that organized crime is attempting to use that."
Some experts say the some 40 U.S. e-commerce companies included in the FBI advisory are only the tip of the iceberg. They note that many companies do not report incidents of cyber-fraud for fear of compromising their integrity and admitting their websites' vulnerability to hackers' attacks. That makes it difficult to calculate the true damage done by hackers. But experts say that the damages may be well in tens or even hundreds of millions of dollars. They point out, however, that improvements in security technology are outpacing hackers' own advancements in skill. This is giving e-businesses the ability to safeguard their clients' credit cards from Internet attack.
Some analysts say that the profit involved in Internet fraud remains relatively low. In most cases, stolen credit card numbers are used only once or twice before the theft is discovered. Given the sheer volume of stolen credit card numbers, perpetrators often resort to so-called "wholesale" methods, by which card numbers are distributed in bulk to trusted partners, usually in lots of 1,000 at $1 a card.
VISA, the largest issuer of credit cards in the United States, recently introduced stringent rules for online purchases. While consumers in the U.S. are responsible for only the first $50 in fraudulent charges that appear on their card, merchants who accept fraudulently obtained credit card numbers are, as a rule, responsible for covering the bulk of the losses.