Thursday, April 21

Wicked Dreams

Now o’er the one halfworld
Nature seems dead, and wicked dreams abuse
The curtain’d sleep;
—Macbeth II.i

I’d taken apart the laptop I was issued at the office, used peripherals for entering data, wiped the hard drive and reinstalled everything, and stored all my data, including my email, on a removable drive. But I still wasn’t satisfied with the device. My personal laptop was faster, had more memory, and had all the software on it I couldn’t install on the company laptop. So the last thing I did before I got home Wednesday was buy a smartcard reader for my personal laptop and head to my cozy apartment to try using remote access from my personal computer. My laptop wouldn’t be recognized by the network, but my smartcard should let me through. Then, maybe I could explore the databanks of Central Card Services while others are asleep and unaware.

About 10:00 my phone buzzed and I snapped it open.

“Hamar.”

“Nails,” came the response, followed by a suppressed giggle.

“Sorry. Hi Andi. I didn’t mean to snap.”

“I must have caught you in Neverland. Do you have a minute?”

“Sure. I was just working on a computer and didn’t pay attention to who was calling.”

“I thought I had a custom ring.”

“The phone’s on vibrate. But I’m happy to chat anyway. Any break from the demons of the corporate world is welcome.” I smiled and left my desk so I wouldn’t be tempted to keep looking at the screen while we talked. It’s a bad habit. I plopped down in my recliner and clicked the light on over my one painting, a man looking out across the sea. It was painted by a dear friend back in high school and always makes me feel peaceful.

“Cali has been going on non-stop about how cool it was of you to pick them up in the Mustang. Everyone at school is insanely jealous. She and Mel want to know if you would chauffeur them every day.”

“Well…”

“I’m kidding, Dag. But seriously, Cali has a big-time crush on that car. She’s actually talking about wanting to get a driver’s license. You know Mel has had hers for over a year, but Cali just wasn’t interested until now.”

“Tell her a driver’s license isn’t enough to get her into the driver’s seat of my baby.”

“I’m sure. But the girls want to pay you back and asked me to invite you to the movies Friday night.”

“What movie?”

“They’ve got tickets for us all to go see ‘Once a Hero’ at Harvard Exit. It’s a new film with a PG rating. Please save me from being the lone adult with these two wild ones.”

“That sounds like fun. I can’t take four in my car, though. Mel was folded like a pretzel in the back seat this afternoon.”

“Not to worry. Mel’s parents approved the movie and suggested she drive her guests. They’re pretty conservative and even though Mel is 17, they still hold a tight rein on what she sees and with whom. I think they approved because I said I’d go with them.”

“From what I’ve seen, having Mel around would turn me into a very conservative parent as well,” I laughed. “What a wild child.”

“It might have worked the other way around,” Andi sighed. “I worry that all their rules have pushed her to act out in ways that aren’t always appropriate. At least it makes me look like the world’s coolest mom by comparison.”

“That you are. What time Friday?”

“The girls will pick us up from the Faculty Lounge at 7:00 if you are going to be there.”

“Sounds good. I’ll see you Friday.” I could hear cheers in the background as apparently Cali had been close enough to get the gist of our conversation.

“Good night, Dag. I seem to have a happy girl on my hands.”

“Good night, Andi.”

I was a pretty happy guy, too. I was going to take three beautiful women to the movies. Or be taken. What difference did it make? I sat for a few minutes just staring out at the ocean in the painting on my wall. Finally, I snapped out the light and settled back in front of my computer. The night was still young.

***

The most intriguing part of the CCS information highway was the fraud line. This was not a place that computer gurus analyzed threats, but rather a place where consumers reported problems with their accounts. I guessed that only one out of ten people who suspected a problem with their accounts actually reported it. That was about the same number who actually sent in rebate coupons when they bought something at a store. It was a great marketing ploy on the part of vendors. “This phone only $19.95 after manufacturer rebate of $50.00.” One would think that having ten customers would result in only $195.00 in revenue, but with only one of ten people sending in the rebate, the revenue was really $649.50. Average cost of the $19.95 phone was $64.95. What a deal.

Unauthorized credit card charges were similar. Half the time, credit card statements weren’t even examined unless there was an expense report to be filed. Then an unfamiliar charge might be passed off as just another expense. A spouse might assume it was just something the other had charged if the bill was examined. Then there were those who challenged an item on their card by calling the phone number associated with the purchase. There they would find that “according to the on-line agreement you signed, this renews automatically at the first of every month unless we are notified in writing of your intention to withdraw.” An especially tenacious customer might fight that out with the vendor, but still not report it to the credit card issuer.

But occasionally, a person will see something that is out of the ordinary and challenge it. Very rarely it will be done in such a timely manner that enabled the company to actually do something about it. “My electronic statement shows six charges for $29.95 late last night. I didn’t charge anything. What’s going on?” In that instance, the call gets bumped to the head of the queue. An employee searches the database of vendors for the offending party. Hmmm… a porn company in Israel. Anyplace else they’ve been charging? Hmmm… over 100 cards charged for eight items by that company just before midnight.

A calling force is organized to call all the affected cardholders to warn them that unauthorized charges have been made and their card information could be compromised. New cards issued. Refunds are made, and the unit sent out to investigate the fraudulent vendor reports back that the company’s accounts have all been closed and the vendor has disappeared. Net loss absorbed by the credit card company of over $25,000 plus time. There is no one to prosecute. Perhaps the company’s fraud losses move from two basis points to two-point-one basis points—a basis point being one cent of every hundred dollars in company transactions. The fraud barely registers in the accounts as a bookkeeping error.

But someone out there has just stolen $25,000.

I decided to plunge into this seamy underbelly of the CCS Cyberworld.

***

It was a journey into the ghetto. Every possible thing on earth can be bought with a credit card—drugs, prostitutes, a kidney, a trip to the space station. As long as the vendor has established a merchant bank account, credit cards are good.

Having learned from the underworld bosses of prohibition, most of these operated as respectable businesses. Their accounting was meticulous. They paid sales and income taxes—though not necessarily on the actual goods being sold. There was no reason for the IRS to investigate. On paper, they were legitimate businesses. Some drug lords even thought of themselves simply as successful businessmen.

In reality, the purchase of web design services by a wealthy businessman may have included a web template snatched from a free design site and a prostitute a week for six months. Of course, there could be a charge for a seventh and eighth month as well, but said business man was not going to complain that he didn’t get his prostitute those months. It wouldn’t be good for his image as a church-going husband and father of three.

Here in the darkest parts of the city, there was really only one business—greed. Any way to move money, even virtual cash, from one pocket to another was accepted.

A line of angry men pounded on a locked door demanding a refund. The door stood alone in the middle of the street and it was obvious there was nothing behind the door. The vendor had closed shop and taken it with him when he left.

A woman pled for help at the door of a mission in return for the years she had been donating to it. The fat pseudo-priest reminding her that she had not subscribed to a long-term care package, but described what a wonderful future she would have if she signed over her remaining assets to them.

Then I saw a new shop setting up, just up the street. It was being established directly behind an innocuous storefront. In fact, if you entered through the old and respectable store from the street, you walked directly into the new scam operating behind it.

“We’ve noticed that you aren’t receiving our current information at your home address anymore,” the shopkeeper said as I entered the space. It looked new. The logos adorning the walls were the latest corporate color scheme, the furnishings boasted lots of chrome and glass. It was exactly like entering the corporate offices of CCS. “So we’d like to make sure our information regarding your account beginning 7785 is current. Just fill out this simple form with the last 12 digits on your credit card, your expiration date, and CCV code from the back of the card. Then be sure to check which of the following items you do not want us to send to you. This is your opportunity to opt out of any of the offers on our list. Otherwise, we will renew the mailings to your home address along with our apologies for the inconvenience you’ve suffered by not having these valuable offers.”

This guy was good. First, he already knew the first four digits of my credit card. Wow. Must be legit. Secondly, I was going to start receiving all this junk mail if I didn’t opt out. I certainly didn’t want that. And finally, I couldn’t opt out if they didn’t have the correct account information. I wondered how many people had already responded to this generous offer in the few minutes it had been open.

I walked around a bit and checked the building permits for the new shop. Finally, I managed to identify the employee who was responsible. He led me into a private office where he proceeded to snow me with purchase orders, design instructions, and answers to every question but one: Who was he? I left the shop and circled around it, then found a stair that led under the shop. I looked around at the foundations and understood. It had been built inside an abandoned office. The entire infrastructure was in place, but the project had been curtailed months ago. Boxes were sitting in a delivery room, and they all had a single name written on them.

I hesitated. Was I sure this wasn’t another false identity? There would be no going back. I felt a tremor and realized the shop was being disassembled as I spoke.

I stepped back and pulled the trigger.

***

Thursday morning, I dragged myself out of bed, showered, shaved, and headed to the office in spite of feeling like crap. I’d not slept at all in the hour and a half I was in bed. I was anxious to get to the office and see if there were any results from my foray into the guts of the company the night before. I grabbed coffee at the Analog on my way down the hill, caught a bus on Olive and jumped off at Third.

I was just in time.

Before I entered the building, police came out with a guy in a polo shirt and slacks, hands cuffed behind him. The officers pushed him into a waiting patrol car and then turned to address the tall, dark-haired man behind them. Don Abrams, Director of Network Security, was nodding and I could hear the tail end of his conversation as I approached.

“We will definitely support charges. We’ve already notified the FBI as well as Seattle Police. We were lucky to catch it before there was a serious compromise of customer data.”

“We’ll take it from here,” the officer said. “But the server unit has to be secured as is in order to be used as evidence.”

“We’ve disconnected it already and it’s ready to be picked up for impound,” Don said. He was so angry there was a flush about his face. The officer got in the car and Don turned back to the door, almost bumping into me.

“Hey!” I said. “What’s up?”

“That scumbag heisted an abandoned sub-domain and spent the night lifting credit card information from customers by posing as a marketing opt-out site. We got an alert about four this morning and have spent the last four hours tying down the site and corralling the bastard. I can’t believe it.”

“Somebody high up?”

“No. Just a damn web designer who stumbled on a vulnerability that we’d never closed.”

“A lot of publicity coming out about this?”

“Fortunately we were alerted almost as the guy started operating. We were able to stop the flow of data before it got offsite, so technically we don’t have to go public. But we’ll do whatever is necessary to put that creep behind bars.” Don and I went up to the 23rd floor in silence. “I’m sure we’ll hear about this from Arnie this morning, though. He’s been here since seven.”

“Wish I’d have been here for all the fun.” Don looked at me a little strangely and then nodded as he turned down a different hallway.

“Later.”

***

Corporations the size of CCS have hundreds of websites, but usually only a few domains. Additional pages that are needed for promotions, products, departments, or other legitimate purposes are often sub-domains. Sub-domains do not have to be registered with any naming authority. A company might, for example have a site that is promotion.companyname.com. Companyname.com is the domain. Promotion is the subdomain.

Until a few years ago, it was common practice for entrepreneurs to buy up domain names and hold them, especially if they could get the names of major corporations. Eventually the companies would want the domains that matched their company name both for convenience for the customer and to protect themselves from being spoofed. Now it’s illegal to camp on a domain name someone else might have a legitimate claim to, but there are other methods of making browsers believe they are viewing something other than they are.

Buying domain names for illegal purposes is a risky proposition. The names have to be registered and the owners can be located. But since a sub-domain is not registered, it could be used for less ethical purposes. In the case of CCS, the web designer had gained access to an ftp account for an abandoned sub-domain that still had server space. He sent an email to several thousand customers informing them that they need to opt-out of various mailings related to their accounts. It all looked legitimate except for three things. First, legally a user must opt-IN to promotional use of their information. A user should never be told she has to opt-OUT in order to avoid getting mailings. Secondly, the first four digits of every card issued by a specific bank or bank system are the same. Therefore, having the first four digits in a mail does not indicate the sender knows anything about the account. Thirdly, banks and credit card issuers do not ask for account information. They already have it. They might ask for proof of identity, a password that has been set up (not the ATM PIN), or last four digits of the SSN. They already know the account number.

The trickiest part of my late-night foray into the company’s intranet was identifying the perp without identifying myself. I was feeling pretty proud of myself for having solved the problem. I was ready to return to my life as a private investigator.

When I got to my desk, and logged into my laptop, I fully intended to email Arnie and resign, having fulfilled my contract. But as soon as my screen connected to the company network an alert box showed up in the middle of it. The message was simple.

“Nice job on small fish. Now catch the big one. OK”

No comments:

Post a Comment