Future Crimes

by Marc Goodman

  For data brokers such as ChoicePoint, Experian, and Equifax, the economic incentives are gravely misaligned from a public risk and security perspective. This is particularly true in the age of big data, when organized criminals now find themselves in the knowledge management business. They are an efficient, effective, and industrious force in the world of big data, and the more we create, the more they are happy to consume.

  Social Networking Ills

  Social media are great fodder for identity theft, as all the information criminals need to pursue you is freely available online, whether it’s your date of birth or your mother’s maiden name on your Facebook account. You may be thinking, “Criminals can’t see that information … I’ve blocked it in my privacy settings.” If only the system worked as advertised. There are many reasons why any information you post to Facebook leaks. First, as noted above, when Facebook updates its ToS, it will often reset your desired privacy settings back to the least private options available, making these data available to anybody, especially its advertisers. Second, with 600,000 Facebook accounts compromised daily, it’s only a matter of time before criminals get around to you. Last, given that social data are now “where the money is,” criminals have created specialized tools, in the form of targeted viruses and Trojans, to take over your Facebook and other social media accounts without your permission.

  At least 40 percent of social media users have been exposed to one form of malware, and more than 20 percent of us have had our e-mail or social networking account compromised or taken over by a third party without our permission. Bad guys trick users into clicking on links in posts and messages that purport to come from friends or colleagues using a technique known as social engineering. Criminals take advantage of the trust we extend to those in our social network by masquerading electronically as these trusted parties, invariably tricking users to click on a link that will ultimately infect a computer with a virus, Trojan, or worm. Moreover, organized crime groups are extremely quick to react to breaking news, which they use to dupe innocent users to click on as a means of infecting them. Whether it was the earthquake in Haiti, Justin Bieber’s arrest, or Miley Cyrus in the nude, the headlines are too good to ignore and thus people click on them. When Malaysia Airlines Flight MH370 went missing over the Indian Ocean, scammers were ready to go with fake photographs of the plane and purported videos showing “MH370 found at sea, shocking video just released by CNN.” The messages spread like wildfire over social media to a curious public eager for answers, not realizing they had just infected their machines with viruses. Sometimes curiosity really does kill the cat.

  One of the best-known pieces of social media malware was known as Koobface (a variation of “Facebook”), which targeted Facebook users around the world. The malicious social media worm spread by tricking users to click on a Facebook link with an impossibly compelling headline such as “OMG—I just saw this naked video of you!” Who wouldn’t click on such a message? Unfortunately, one curious click can lead to a flurry of malware. Once infected, the Koobface worm steals any available log-in credentials it can find on your machine, including those for your Facebook, Skype, Yahoo! Messenger, and Gmail accounts. Koobface can also force your computer to take part in denial-of-service attacks against third parties and hijack your Web search returns and clicks to take you to untrusted Web sites. The malware was designed and disseminated by a hacking group in St. Petersburg, Russia, and though the criminals responsible were individually identified and even publicly named, Russian authorities have refused to extradite them to face trial for their crimes.

  Of course these days, social media attack tools have become streamlined, and one need not even be a master hacker to steal information. For example, Firesheep is a simple Firefox browser plug-in that anyone could download to take over the Facebook session of others on the same network and hijack their Facebook accounts. With this, for example, if you checked your Facebook account at a local Starbucks while sharing the network with twenty-five other people in the coffee shop, and if one of them was running Firesheep, the hacker could use the plug-in to log in as you on your own Facebook account. Easy as pie. Once logged in, the crook could see all your personal information, change your account settings, and post anything he or she wanted on your wall or in messages to other users. This technique is sometimes known as session hijacking or “sidejacking” and is ridiculously easy to execute.

  Criminals are also targeting users on social media sites via third-party apps and online games, attacks that grant them access to your bank account and can ruin your credit. This was a lesson Lisa Lockwood of Baltimore, Maryland, learned the hard way when the information her seventeen-year-old son had provided a Facebook gaming app came back to bite them both. The game offered the teen extra gaming points in exchange for filling out an account application that asked for his Social Security number. Without thinking, and with visions of more points to “level up” dancing in his head, the teen completed the application, never realizing his Social Security number was about to be used by criminals to complete seven separate car loan applications on his behalf in a matter of days. It was only when the boy’s mother received a telephone call from a local Subaru-Volkswagen dealer inquiring about her son’s credit application for a new car that she learned of the incident.

  Illicit Data: The Lifeblood of Identity Theft

  The explosion of data has led to the creation of a brand-new industry for transnational organized crime groups, and mass identity theft is the result. According to the Congressional Research Service, identity fraud cost Americans nearly $21 billion in 2012, and more than 13.1 million Americans are reportedly victims of identity fraud annually. That works out to about one American every two seconds. Furthermore, the theft of this personally identifiable information is a gateway crime that leads to any number of other criminal offenses such as financial fraud, insurance fraud, tax fraud, welfare fraud, illegal immigration, and even terrorist finance. Exponential growth in data is leading to exponential growth in online crime.

  Children are the fastest-growing group of victims of identity theft. They are particularly vulnerable because they don’t have early-warning systems built in as do adults. If somebody fraudulently charged $500 or $1,000 to your credit card, you would likely notice it on your next billing statement, but children don’t get credit card statements. Thieves who pilfer their identities can use them for eighteen years, and only when these young adults apply for credit themselves, such as college student loans, do they learn that their credit history has been destroyed by information thieves.

  In the United States alone, 500,000 children are victims of identity theft annually. According to a study of 40,000 children by Carnegie Mellon University’s CyLab, kids are shockingly fifty-one times more likely to be victims of identity theft than adults. From toddlers to teenagers, young people are readily targeted because their credit histories are nonexistent and thus a tabula rasa for organized crime groups. Parents don’t find out about the crimes and identity thefts until years and years later, when suddenly they are confronted by aggressive bill collectors attempting to collect on their children’s unpaid debts. Given the extent to which children and young adults live their lives online, and the aggressive ways in which data brokers and large companies are pursuing them, it is perhaps to be expected that they would face significant threats from identity thieves. If only these financial woes were their biggest problem. As we shall see, the data we all leak can lead to physical dangers as well.

  Stalkers, Bullies, and Exes—Oh My!

  The volumes of data about you sloshing around online are useful not only for identity thieves but for legions of other criminals as well. Old-world crimes are increasingly enabled by newer technologies, and big data allow traditional criminals to target you with ever-greater precision. Through our persistent 24/7 online lifestyles, we are reachable at all times, even by those who we wish could not reach us. What is odd about this phenomenon is that often we, through our voluntary provision of i
nformation or via data leaks, are making it easier for stalkers, harassers, and criminals to find us.

  Take, for example, the case of cyber bullying. Though bullying has always been a problem in schools, the Internet provides cyber bullies with instant access to their victims, not just in the school yard, but everywhere, at all times. The threats come online, via e-mail, on social media, on mobiles, and even via messaging apps and games. According to the National Crime Prevention Council, nearly half of all teens are affected by cyber bullying. For young people facing the persistent harassment, it seems as if there is no escape; as a result, a full 20 percent of middle school students admitted to “seriously thinking about attempting suicide” because of online bullying.

  Children are not the only ones victimized by cyber bullying; cyber stalking is increasingly affecting the adult population as well. In fact, the ever-expanding flows of data about us and our persistent online presence have helped to transform the Internet into a fertile ground for a new breed of criminal known as the cyber stalker. These offenders use the Internet as “their weapon to harass, threaten and intimidate their prey.” Cyber stalkers do this by sending unwanted e-mails, text messages, postings, and tweets and by spreading rumors about the victim online. Using the data that each of us leaks every day or that are commonly available via data brokers, cyber stalkers can easily obtain detailed information about their victims, including their home and work addresses and phone numbers. Often these details are used by cyber stalkers to confront their victims in person.

  Facebook has been of particular use to stalkers. With each of us having hundreds of friends, many of whom we’ve never met, it would be wise to more carefully consider who was actually sending those friend requests. Christopher Dannevig used Facebook to find his victim, Nona Belomesoff, an eighteen-year-old woman from Sydney, Australia, and meticulously studied her profile before contacting her. It was Belomesoff’s frequent posting about her love of animals on her Facebook page that gave her stalker the idea of how to persuade her to meet him. Using the social media data the young woman was innocently leaking, Dannevig created a fake profile under the name “James Green” and claimed he worked as an HR recruiter for a well-known local animal rescue group. The woman’s stalker used the very details she had posted to con her. After creating the fake profile, Dannevig contacted Belomesoff and exchanged a series of messages, eventually befriending her and gaining her trust. Shortly thereafter, he announced there was a job opening at the animal rescue charity for which she would be a perfect fit. Belomesoff agreed to meet him for an interview, and her stalker offered to drive the young woman to the animal shelter located in a secluded area just outside Sydney. Thrilled at the prospect of having found a paying position working with the animals she loved, she agreed to travel with the man. It was there, in the deserted outskirts of Sydney, that Dannevig strangled and murdered the girl.

  Though the threat from strangers using our data to find and stalk us is real, it pales in comparison to the perils we face as a result of domestic violence and harm by those with whom we once shared an intimate relationship. Facebook makes it easy to keep tabs on a former boyfriend, girlfriend, or spouse out of a normal, though unhealthy, level of prurient curiosity. New friends, life updates, changes in relationship status, travel locations, and vacation plans are all of great interest to former partners. The phenomenon is so common that “Facebook stalking” has even entered the common lexicon.

  But for some, the data we leak fuel much more than curiosity on the part of our ex-partners. In those relationships that involved domestic violence in the real world, 45 percent of victims admitted that their abusers followed and attacked them online as well, causing many to suffer from PTSD. Social data can also provide details as to their locations, and because abusers often go to great lengths to find their victims, an innocent tweet, check-in, or status update could be as effectively dangerous as a bullet. For instance, Paul Bristol flew from Trinidad to England to stab his ex-girlfriend to death after seeing a post of a photograph with her new boyfriend on Facebook.

  Another challenge in the world of big data is that the information we share and intend to keep private leaks out to others. Often we are betrayed by those with whom we have entrusted the most intimate details of our lives, particularly with the photographs we have shared. Sexting, or the sharing of sexually explicit SMS photographs via mobile phones, is a growing phenomenon, and some 67 percent of college-aged students have admitted to engaging in the practice. Unfortunately, photographs shared in such a manner do not just disappear, and these data detritus, like all other forms, often come back to bite their originators in unexpected ways.

  Web sites such as MyEx.​com allow the jilted to share photographs of their ex-lovers on a single Web site. There are more than seven hundred pages of photographs of naked men and women, with paragraphs of complaints about those in the photos—terrible lover, cheated on me with my sister, small penis! Another wildly popular site, IsAnyoneUp.com, was created by twenty-four-year-old Hunter Moore as a data repository for anyone to submit naked photographs of their exes and enemies and was visited by a quarter of a million people daily. The phenomenon has become so popular it now has its own name: revenge porn. Moore’s site by design listed next to each photograph links to the person’s Facebook or Twitter account, her full name, and hometown and made this information fully indexical and retrievable in Google so that it would show up in an innocent search by a third party looking for that person. Every naked photograph was accompanied by a comments section that allowed members of the public, and Moore himself, to comment on and ridicule the photographs.

  Online Threats to Minors

  According to the Pew Research Center, today 95 percent of young people in the United States are online, and 74 percent of teens aged twelve to seventeen are mobile Internet users, often accessing the online world via cell phones and tablets. Moreover, 95 percent of young people aged ten to twenty-three have at least one social media account. Much of this Internet access takes place outside the purview of their parents, 74 percent of whom say they are overwhelmed by modern technology and don’t have the energy, time, or ability to monitor what their children do online. That is unfortunate, for although cyber bullying by peers is a major source of stress for young people, they face even greater dangers in our increasingly connected world.

  Child predators have used technology to great effect to zero in on children for the purposes of sexual abuse. So common is the practice it even had its own television show highlighting the phenomenon, NBC’s To Catch a Predator. The challenge for children is that four out of five of them cannot tell when they are talking to an adult posing as a child online. Their new online friend—the other eight-year-old girl one town over—could just as likely be a fifty-year-old man two states away, willing to travel across state lines for the purpose of child abduction.

  Given that pedophiles have noted preferences in the children they pursue (age, gender, hair color, height, and so forth), any photograph posted on social media or elsewhere online can be used as a shopping catalog or virtual marketplace for child sex abusers looking for victims to target. Pedophiles make it their business to know the very latest games, messaging services, and virtual worlds of interest to children and will seek out their victims in every possible online forum, using a variety of tools ranging from Xboxes to iPads. Lest you think the demand for such disturbing photographs is limited, law enforcement sources have identified at least twenty-two million such images and videos in the United States alone, and some password-protected child pornography Web sites have up to thirty thousand paying members.

  Today the volume of pedophile images is growing, not because an adult has necessarily abducted a child and abused him or her, but because young people are readily targeted via subterfuge and social engineering.

  Such was the case with Amanda Todd of British Columbia, Canada, who at the age of twelve was coerced into flashing her breasts on a live video chat site popular with teens known as blogTV.
The anonymous person who made the request seemed nice and complimented and flattered young Amanda on how pretty she was. In a moment of teen naïveté, Amanda revealed her breasts, assuming the requester was another teen. As time passed, however, she realized she had encountered a much darker force. A year after her disrobing, Amanda received a message on Facebook from a man under a pseudonym who demanded the young girl reappear nude and perform sex acts on camera for him. If she refused, he threatened to release the original video of her topless. To prove he was serious, the attacker revealed the names of Amanda’s friends and family, her address, and the school she attended and said all would be shown her video. The young girl demurred, and the harassment began.

  Her tormentor created a fake Facebook profile in Amanda’s name and used a photograph of her bare chest as the profile picture. He then began sending friend requests to all of Amanda’s friends, family members, and teachers whom he had discovered on her true account. Amanda was unaware of the incident until the police, worried about the implications, came knocking on her family’s door at 4:00 a.m. on Christmas Eve. Amanda was horrified. Upon returning to school, she was bullied and harassed relentlessly. For the young teen, the pressure was unbearable. Depression, anxiety, and panic disorders set in. She cried herself to sleep every night and was disowned by her friends, who blamed her for appearing in the video. She ate lunch alone every day and began cutting herself.