When Donna Getgen opened a letter from her credit union in March, the message within was anything but routine. Getgen was informed that she had been the victim of a cyber-theft.
Getgens account number, the letter read, was stolen from a database at BJs Wholesale Club Inc., where she shopped from time to time.
Stunned, Getgen, a business operations specialist for a high-tech company from Owings, Md., would later learn that she was one of tens of thousands of victims of one of the largest cyber-thefts in recent history.
The BJs security breach, which occurred over seven months from late 2003 to early this year and compromised thousands of debit and credit cards, was just the latest example of the kind of large-scale cyber-crime being perpetrated with greater frequency than ever in the United States and around the world.
Ironically, as the number and scope of cyber-crimes proliferate, local, state and federal authorities are scrambling for resources to combat the threat. In many cases, the authorities are directing resources away from cyber-crime cases.
“Most Americans would be surprised to know that thousands of credit card numbers are sold online every day, and very little is done to stop it,” said Jim Melnick, director of threat intelligence at iDefense Inc., in Reston, Va., and a former Defense Intelligence Agency officer.
“The dirty little secret is that theres all this other stuff going on that nobody is stopping. Im not sure theres an understanding inside Washington of how pervasive cyber-crime is.”
Increasingly sophisticated schemes—from outright break-ins to so-called phishing scams—are among the biggest problems facing financial institutions today.
The number of phishing attacks alone has grown by 1,200 percent in the past year, according to MessageLabs Inc., in New York. Phishing is the practice of sending fraudulent e-mail purporting to come from a bank, credit-card issuer or other trusted source to solicit account numbers, Social Security numbers and other sensitive data.
A comprehensive study of the problem released last month by analysts at Gartner Inc., of Stamford, Conn., shows that more than 57 million Americans have received at least one phishing e-mail. The financial losses suffered by banks and credit card issuers that ultimately pay for these frauds amounted to $1.2 billion last year, the study said.
Despite the mounting research, bank officials contacted for this story said they, along with credit card issuers, are doing most of the education and prevention regarding cyber-crime without much help from law enforcement or government regulators.
“The biggest risk right now for us is the loss of reputation,” said Michael Roberts, senior vice president and CIO of the Bank of Alameda, in California. “We get a lot of people who have had their account numbers or Social Security numbers stolen and come to us for help. We cant have that.
“Identity theft is escalating, and its moving offline. We see people coming in here with stolen numbers trying to open accounts. Its happening.”
Actually, cyber-crime has been happening for years. It is only now entering the public consciousness, thanks to high-profile incidents like the BJs theft and elsewhere, such as those perpetrated on Guess Inc. and MTS Inc.s Tower Records unit.
In fact, of the 500 companies that responded to a recent FBI survey, 90 percent said theyd had a computer security breach, and 80 percent of those said theyd suffered financial loss as a result.
Today, online criminals use stolen credit card numbers as illicit currency. The information is traded for other commodities, such as Social Security numbers or access to networks of compromised PCs that can be used in distributed-denial-of-service (DDoS) attacks.
But as the cyber-crime rate climbs, security experts, consumers and even former government officials are questioning why federal lawmakers and administration officials have devoted so few resources to combating the menace. Many attribute the resource issue to the war on terrorism.
“There were decisions made that things like credit card investigations werent worth it at that point,” said one former federal law enforcement agent who was involved in cyber-crime investigations for more than a decade.
“Cyber-crime was put on the back burner. Pure investigations into cyber-crime have diminished at the FBI and the Secret Service.”
Indeed, in the months following the terrorist attacks of Sept. 11, 2001, counterterrorism became the highest priority for the FBI as well as the Secret Service, the two federal agencies responsible for the bulk of the governments cyber-crime investigations.
That shift took its toll on the computer crime units at both agencies, and nearly 20 Secret Service agents who were working on cyber-crime at the time of the attacks were transferred to terrorism investigations.
“Theres a broken spirit in the government as far as cyber-crime,” the former agent said. “Its one of the most daunting tasks that law enforcement has ever had to deal with.”
For those investigators at the FBI and Secret Service still responsible for handling cyber-crime—about 300 and 100, respectively—many are often pulled away from their regular duties to work on special details, which can lead to long delays in completing investigations.
“There just arent enough agents to do whats required,” the former agent said. “The response from the government hasnt been commensurate with the problem. The big investigations that you see on TV with the press conferences were the exception, not the rule.
“Theyre just showpieces. Having a massive investigation every six months is inconsequential when you have a crisis going on.”
According to government and law enforcement officials, the lack of interest in fighting cyber-crime comes from the top down and is traced to the current and past presidential administrations.
Richard Clarke, chairman of Good Harbor Consulting LLC, in Herndon, Va., and a former counterterrorism official in the Clinton and current administration, often warned of the potential for a terrorist-based computer attack that would take out portions of the U.S. power grid or financial networks.
When the power grid that serves huge swaths of the Northeast, Midwest and portions of Canada failed on a sweltering day last August, just days after the outbreak of the infamous Blaster worm, many people thought Clarkes oft-repeated prediction of a “digital Pearl Harbor” had come true.
Within hours of the blackout, CNN reported from the paralyzed streets of Manhattan that U.S. officials were investigating the possibility that Blaster had caused the outage.
It seemed to fit. Blaster was running rampant on the Internet, infecting hundreds of thousands of machines. More to the point, other recent worms had wreaked havoc with machines and networks not normally thought to be vulnerable.
The SQL Slammer worm in January 2003 brought down the 911 dispatch system in Bellevue, Wash., and disrupted the operation of Bank of Americas network of ATMs, angering customers and inciting fears that so-called crackers had stumbled on a new attack vector. Then Blaster arrived.
But in the 10 months after the blackout, no evidence linking Blaster to the outage was found. In fact, an exhaustive report written by a joint U.S.-Canadian committee formed to study the blackouts effects determined there was no connection to any deliberate malicious attack on the power companies computers.
“The [Security Working Group] found no evidence that malicious actors caused or contributed to the power outage, nor is there evidence that worms or viruses circulating on the Internet … had an effect on power generation,” the report concluded.
The report should have relegated Blaster to a footnote in the matter. But many security experts point to the incident as a perfect illustration of how the specter of cyber-terrorism can obscure the real problem of cyber-crime.
Tip of the Iceberg
While examples of cyber-crime abound—from database theft to Nigerian banking scams to the rigging of online gambling to worm attacks—no current or former government officials, no law enforcement officers and no security experts interviewed for this story could cite a single example of cyber-terrorism.
“There havent been any at all, to my knowledge,” said Howard Schmidt, chief security officer at eBay Inc., in San Jose, Calif., and former chairman of the Presidents Critical Infrastructure Protection Board and one of the first dedicated computer crime investigators in the country, first with local law enforcement in Arizona, then with the FBI and later with the Air Force Office of Special Investigations. “I actually refrain from using that term [cyber-terror].”
Thats not to say the possibility doesnt exist for a concerted, targeted attack to bring down a critical banking network, utility grid or other vital system.
Clarke, for one, sees the threat of cyber-terrorism as a serious concern for the United States. “What we see today is just the tip of the iceberg in terms of whats possible, especially if a nation-state wanted to get in on this,” he said. “As long as these things are possible, we run the risk that someone will do them.”
And while other observers claim terrorist groups are using the Internet mainly for communications and fund-raising, Washington insiders insist the government is not sitting by idly awaiting a strike.
“Cyber-crime is an alarming trend and one were actively [focused on],” said Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, the nations top cyber-security post.
“Its a huge issue. The Department of Justices top priority is this. Were trying to build a threat-independent approach to protection. We dont care if its a terrorist or a kid. If theres an impact, thats what we care about.”
Yoran said that relatively little data on cyber-crimes is flowing between the different departments and agencies in federal, state and local governments but that efforts are under way to change that. Another problem, he said, is the naivete of most Internet users.
“I think theres a lack of general awareness among consumers about how vulnerable they are,” Yoran said in Washington. “The issues right now are overly complex, and the government has to simplify it.”
Donna Getgen might agree, although it doesnt offer her much comfort. No fraudulent activity was found involving her debit card account in March, and the Digital Federal Credit Union, in Marlborough, Md., went ahead and canceled the card and was in the process of issuing her a replacement by the time she received the letter. But Getgen is still distressed by the incident.
“I really have lost trust,” said Getgen. “I havent been back to BJs since this happened, and I dont intend to go back. If I did, it would be on a cash basis only.”