Transaction Security: Safe, Sealed and Secure

As governments shore up their financial institutions in the wake of October’s meltdown, securing the transactions that are the lifeblood of the global economic system is even more crucial than in the past. Fraud, identity theft, security breaches and a wide variety of scams are all threats to the economy, especially in perilous and volatile times.

Identity theft is one of themost pernicious crimes against consumers and undermines grassroots faith in banking institutions, especially if victims blame banks for the fraud committed by criminals outside the institution.

The problem is massive. According to the San Diego-based Identity Theft Resource Center, in 2006 some 15 million people were victimized: One every two seconds—28.5 every minute. In an April 2006 bulletin published by the Bureau of Justice Statistics, Identity Theft, 2004, an estimated 3.6 million households were affected by identity theft during a six-month period in 2004—and that was four years ago. The cost is also significant, with a 2006 survey done for the Federal Trade Commission showing thieves making off with $500 in goods and services per victim. In an important minority of cases, those victims spent as much as 130 hours and $1,200 of their own money resolving the problem.

The problem is growing, with the Identity Theft Resource Center reporting more security breaches in the first eight months of 2008 than in all of 2007. Some of those breaches are insider related, whether due to an inadvertent loss of a laptop or because a trusted worker sold data.

That’s one reason why ID theft-fighting steps are constantly being unveiled. For example, new Federal Trade Commission regulations went into effect at the beginning of November. These red-flag regulations, which spring from the Fair and Accurate Credit Transactions Act of 2003, require institutions to develop and implement written identity theft prevention programs. That may help put a crimp in the problem by catching it earlier than in the past. Another potentially helpful development is the establishment of the joint public-private Center for Applied Identity Management Research, which will be based in Washington (see sidebar).

Of course, criminals are also constantly trying to figure out ways around safeguards, often exploiting the latest technology. An example is the advent of mobile banking.

Fortent, a New York-based risk and compliance solutions company, has warned that mobile banking could be a rapidly growing fraud and money-laundering channel. Stephen Solberg, a Fortent senior product manager, warned that the third generation phones used for mobile banking don’t simply store numbers. Instead, they can function much like a laptop computer.

“So, if you lose that, it’s much different than losing a regular cell phone,” he told HSToday.

Financial institutions, cell phone makers, network carriers and software vendors are working to avoid such problems. For his part, Solberg expects the mobile channel to follow the path of online banking, which has steadily instituted improvements and changes designed to boost the security of financial transactions.

A virtual Cosa Nostra
To see how fraud interacts with terrorism, follow the money. While new regulations are tightening the net for ostensibly legitimate activities that provide terrorist funding (see sidebar), not all such financing has been aboveboard. There’s evidence of a nexus with crime. Hamas, for instance, reportedly earns millions of dollars through such activities. The Madrid bombings of 2004 had an additional criminal component, with Spanish authorities citing drug trafficking as playing a significant role in financing the attack.

Dennis Lormel, managing director of the anti-money laundering practice at the Washington-based international risk advisory firm IPSA International Inc., noted similarities between criminal gangs and organizations designated as terrorist groups by the US government.

“Hezbollah functions just like an organized crime family,” he said, adding, “There’s really no distinction between them and organized crime groups.”

Lormel knows a thing or two about tracking—and combating—terroristfinancing. Before joining IPSA, he spent decades in the FBI, specializing in financial crimes and related terrorist activity. He helped set up the Terrorist Finance Tracking Program that made use of bank transaction information from the Society for Worldwide Interbank Financial Telecommunication to ferret out suspicious activity.

To be sure, a very high percentage of fraud involves purely criminal activity. Thus, the biggest recent changes are linked to those that have taken place within organized crime, which over the last few years has seen the emergence of virtual crime networks. Part of the reason for this new criminality was prompted by new technology that made financial transactions at a distance easier.

Another reason for such virtual crime networks may be related to law enforcement. Traditional crimes, such as selling contraband, require physical proximity and place criminals within the reach of the law. Cybercrimes convey some protection for the perpetrators. The victims might live in the United Kingdom while the stolen data is stored in Malaysia and the actual criminals reside in Korea. Dividing the crime across multiple jurisdictions makes it harder for anyone to respond effectively.

The San Jose, Calif.-based Web security company Finjan issued its Web Security Trends Report—Q2/2008 (registration required) earlier this year that showed how virtual crime systems work. Like traditional organizations, these groups have a boss who oversees the entire operation and lower level underlings who interact with potential customers.

Finjan’s study showed that cybercriminals operate using business models not unlike those that govern legitimate concerns. For instance, the law of supply and demand applies. One result has been that credit card numbers and bank accounts with personal identification numbers that sold for more than $100 each in the past now go for $10 to $20 per item.

As is the case for legitimate businesses, these cybercrime concerns offer replacement of defective products, which in this case may involve stolen account numbers, credit card data or other identity theft-related information. The criminals also offer guarantees covering specific aspects of the product, such as its freshness. Together with the drop in the price of the stolen information, such facts provide investigators with information about this shadowy business world.

“It indicates how mature this market is,” said Yuval Ben-Itzhak, Finjan’s chief technology officer. “The fact that they offer replacement and the fact that they offer a guarantee is because they are living in a competitive environment.”

Finjan’s investigations have also shown that some of the information is used by criminals for direct profit. Indeed, there are indications that what is kept could be the most lucrative information. Captured exchanges show that such valuable items as credit card numbers, along with the associated three-digit card security codes, may be available, but not for sale.

Like their counterparts who conduct physical thefts, these virtual criminals make use of safe houses—their own “safe” servers. These servers contain stolen data and also act as the command and control center for various criminal campaigns. These interact with affiliation networks that, in turn, manage legitimate, although compromised, websites.

Finjan didn’t discover proof of a linkage between cybercrime and terrorists, noted Ben-Itzhak. “We found many cybercriminals, but who’s a terrorist, we don’t know. It was beyond the resources that we had to go that far.”

A shift in strategies
A study by Verizon Business, a Basking Ridge, N.J.-based unit of telecommunications giant Verizon, also found a worldwide black market for data. According to Bryan Sartin, the company’s director of investigative response, cybercrime has evolved over the last few years, tracing a path that sheds light ona possible growing connection between it, the security of financial transactions and trust.

A sophisticated affair a half decade or more ago, cybercrime then moved through a phase where simple-to-use tools were supplied. It has now morphed again. “In most of our cases these days, they’re low sophistication, low complexity and highly repeatable,” said Sartin.

The attacks now target vendors and other outsiders with access, gaining entry through the promise of cash. This opening is used to assault applications software, hitting multiple locations in, for example, a restaurant chain. The same tools, methods, fraud and patterns may be used in a campaign that runs for a while, harvesting information that can then be sold or collecting money directly.

Some 39 percent of all the cases Verizon Business now handles involve business partners who have some level of access, and so they can be considered insiders of a sort. Sartin expects this category of crimes to grow to be the vast majority of casework by the end of 2009.

This development has implications not only for the financial markets but also for terrorist financing. Unlike the limited pool of individuals who might engage in illicit activity for ideological reasons, there’s a much larger number who could be tempted into doing so for money.

Fortunately, there are some things businesses can do to cut down on their exposure. According to Verizon Business, these actions include segmenting data into transaction zones, so that insider access breaches can be mitigated. Another recommendation is to increase awareness of the potential for this kind of crime, since only some 14 percent of data breaches were discovered by the victimized organizations.

Even with increased vigilance, though, stopping such theft and fraud will be difficult. The challenge can be all the more daunting due to the support criminal and terrorist organizations receive. Sartin recalls one case where an invitation for an event at a foreign capital prominently displayed the name of a group known to engage in criminal activity.

“It makes you wonder to what extent you might have a little bit more than just criminal backing,” he said, raising the possibility of active criminal involvement by governments at some level.

Memories are made of this
While technology may have made it easier for fraud to take place from sources around the world, other advances are making it easier to uncover this activity. Among these are improvements in computer forensics. After being seized, computers and hard drives are searched by technicians who specialize in extracting information from magnetic media.

“You’re combing through that data, looking for connections to other terrorists, relationships with organizations, relationships of potential financing,” Travis Reese, chief operations officer and vice president of federal services at Alexandria, Va.-based Mandiant, explained to HSToday. The company does computer forensics, although not often for terrorist related investigations.

One of the problems with these searches is that the information on the hard disk may be encrypted. Indeed, the latest Windows, Mac and Linux operating systems offers full disk, on-the-fly encryption, with the data in the clear onlywhen it is in memory. There are also numerous third party software packages that do the same. Thus, even if a disk is captured, its usefulness in uncovering fraud, tracking terrorist financing and other activities may be limited.

For that reason, investigators have been looking into how to acquire memory snapshots. The computer memory could contain the keys necessary for decrypting the data on the disk, as well as other vital information.

BBN Technologies, Cambridge, Mass., developed a hardware-based random access memory capture tool. Network scientist Dan Brown, who worked on the project, noted that the goals were straightforward. “Our intent was to provide techniques that would either yield highly forensically reliable evidence or indicate that the information was jeopardized in some way.”

In the end, this objective of high reliability couldn’t be achieved, a consequence, according to Brown, of the computer architecture itself. The problem is that low-level software running on the machine can modify what the device sees in memory, either hiding data or making memory appear to be accessed when it actually hasn’t been.

However, a new method has been demonstrated by researchers from Princeton University in New Jersey. The technique exploits the fact that computer memory data doesn’t disappear immediately when power is cut off. Instead, it fades away, taking as long as several minutes to vanish. This process can be made substantially slower by cooling the memory chips, providing a way to circumvent the problems that plague other hardware approaches.

Such advances may be important, but there also could be help for the situation in the future due to another technology trend: the spread of smartphones. Given the way those engaged in fraud have adopted other technological advances, they’re likely to do the same for smartphones. That could be a boon for those trying to uncover criminality because of the nature of these devices.

Smartphones are small, easily lost or stolen and can store critical information. Unlike the computers they emulate, though, the data on them can, in theory, be much easier to extract, said Brown. “Their data is much less likely to be encrypted.”

So, as might be expected, technology both adds to and ­subtracts from the security of financial transactions. That situation won’t change and neither will the interaction, direct or otherwise, between criminals and terrorists. As IPSA’s Lormel noted, ­“Organized crime groups and the terrorist groups learn from each other. They adopt the better methodologies to improve their ­operations.”

Terrorist financing

Preventing a less than charitable outcome
Explaining why there was and continues to be a focus on terrorist pocketbooks, IPSA’s Lormel pointed to a central fact about terrorists: “Their two biggest areas of vulnerability are finance and communications. So if we can put things in place to exploit their vulnerabilities, we should take advantage of that.”

Of course, authorities aren’t the only ones who exploit vulnerabilities. Terrorists also look for advantages, and one they have successfully used for financing in the past involves charities, which Lormel noted have a large presence in the Middle East. In a typical setup, groups collect money from legitimate sources, with a stated goal of helping those in need. Some of these funds are then diverted in an almost reverse money-laundering fashion to other uses, which might be far removed from the publicly announced charitable objectives.

Quite a bit of that activity dried up when new laws were enacted and governments focused on this financing source after Sept. 11, 2001. The prospect of an investigation, along with a few high profile cases, had a chilling effect, one that may be waning. There are indications that donations to charities are again on the rise, which could once more make this a substantial source of funds.

One obstacle to shutting off this financing is the reality that these organizations may have either a real or perceived political and military wing, in much the manner the Irish Republican Army once did.  This distinction makes rendering aid to the organization more acceptable, particularly when a group like Hamas actually comes to power as a result of an election.

“How many nations don’t consider Hamas a terrorist organization or don’t recognize, for instance, the political arm or charitable arm to be terrorists at all?” said Lormel.

Nonetheless, there are some new tools that authorities have deployed. These include a recently issued set of guidelines that will be published as an appendix to the Reporting, Regulations, Procedures and Penalities Regulations, 31 CFR Part 501. These increase five-fold the penalty for knowingly violating economic sanctions and are administered by the Treasury Department’s Office of Foreign Assets Control. The stiffer fines, even if used sparingly, could help weed out prohibited transactions.

Creating CAIMR

In response to the growing problem of identity theft, corporate leaders, academics and federal officials announced a new initiative in October called the Center for Applied Identity Management Research (CAIMR), which will define and tackle the problem through studies funded by grants, federal agency funding, non-profits and foundations.

Founded by Norman Willow Jr., chief executive of LexisNexis Special Services, and Gary Gordon of Indiana University, CAIMR will be based at Indiana University, in partnership with the University of Texas in Austin. Partners include the Defense Department, the Secret Service, US Marshals Service and 14 major organizations and corporations in the private sector.

“The center’s purpose is to convene key stakeholders to marshal their respective strengths to help solve the challenges posed by identity theft and fraud,” Gordon explained at the Washington, DC, press conference launching the effort. CAIMR will serve as “a unique blend of those government, academic and industry experts that’s now at the forefront of replacing the fear and folklore of identity management with facts based on actual data.”

This kind of collaboration between the private sector, academia and the government in tackling this issue is unprecedented, added professor Fred Cate of Indiana University.

While acknowledging the government’s, and especially the private sector’s, past financial contributions to university research, Cate said that, “in order to manage the challenges surrounding identification management, it is going to be critical that we share not only the financial support for research but also that data, that experience and that expertise so that, in fact, we know we are focusing on the right problems, we are focusing on workable solutions and we are doing so with the most relevant information that is possible.”

Assistant Director Michael Merritt of the Secret Service Office of Investigations agreed. “A great deal more can be accomplished in fighting these crimes if we’re able to harness additional resources that exist outside government,” Merritt said, adding, “law enforcement alone is not adequately equipped to address all the involving technologies utilized by cyber criminals.”

—By Chris Bedford in Washington, DC

(Visited 29 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply