Gangs
Page 18
‘People just don’t realise how important their identity is, and how vulnerable it is,’ says Mary. ‘I know house burglars who say that people will buy safes and ensure all their cash and jewellery is well out of sight but think nothing of leaving old credit-card bills or passports lying around. It’s become so valuable that, for some of the guys I know, it’s all they go after. The beauty is that they can break into your house, take a few bits and pieces and half the owners will never even know. When the police arrive they will say the gang must have been disturbed because they didn’t take anything.’
Many people fail to take even the most basic security precautions. One survey of 2000 people found that one in three did not destroy bank and card statements, which contain account details.
But burglary isn’t the only way to get hold of such information. The computer whiz-kids working for Mary’s gang say any computer logged on to the Internet is a rich source of information from credit-card and bank-account numbers to passwords and billing addresses. Using this as a starting point for getting hold of personal details, the gang has made more than £300,000 in the past year.
And Bevan should know. In 1996 he and a friend were accused of almost starting the third World War from his bedroom after hacking into secure computer systems belonging to the US Air Force and defence manufacturer Lockheed. Bevan, who used the name Kuji, hacked into a research centre at Griffiss Air Force base in New York state and allegedly planted a sniffer programme to obtain further passwords. He was arrested and charged, but the case was dropped. According to former hacker Matthew Bevan, if the information is not there right away, you can install a programme called a ‘sniffer’ to find it. ‘A sniffer will sit there in the background and monitor the computer, recording everything that someone types into it, including all their password and address information.’ He now uses his skill to expose the shortcomings of computer companies around the world. ‘Websites that request bank details carry a padlock sign denoting a secure socket layer [SSL], but although they claim it is safe, that’s just not true. All it means is that the link between you and the company is encrypted. With a lot of companies, we hack over their SSL – the expectation that this is secure is a really stupid assumption. No one I know has an online bank account.
‘Although significant steps have been taken to try to combat online fraud, it is increasing at around thirty per cent per year. As we eliminate opportunistic fraud, we are left with a highly skilled “professional” class of fraudster, often linked to organised crime.
‘In the old days, there would be groups of kids using specialist programmes which generated random credit-card numbers,’ he adds. ‘Since the introduction of tighter security, the methods of obtaining numbers have also evolved. Today the criminals will set up a bogus but professional-looking website offering desirable goods at well below normal high-street prices. The would-be buyers will input all their details – including their billing address and security numbers – but when they try to purchase something, the site will tell them their card cannot be processed. People running the site will have collected the information they need. They sit on it for six to eight weeks, then use it fraudulently.’
Dozens of chatrooms and specialist sites exist where thieves and hackers swap the personal details of card-holders. The numbers are exchanged for cash or given in return for passwords allowing free access to websites that normally require payment. ‘Virgin’ numbers – those that have not yet been used fraudulently – are highly prized.
While some fraudsters try to get the maximum amount of money from the card in the shortest time, others adopt a more sophisticated approach. Knowing a large transaction will quickly be reported as suspicious, they use a number of cards and make small debits from each. Most bills are issued weeks after a debit is made and the criminals hope that, during that time, the victim will not recall all they have bought and assume the transaction is legitimate.
Another online option is to go ‘phishing’, the practice of getting individuals willingly to submit their genuine ID to bogus sites. One of the first companies to be attacked in this way was the Internet auction company eBay. Hundreds of thousands of emails were sent out at random, telling customers that they needed to re-enter their credit-card information or risk their accounts being shut down. Both the email and the website that was linked to it looked like the real thing and thousands complied, losing thousands of pounds in the process.
Another, more sophisticated means is to masquerade as a legitimate online bank with irresistible interest rates and reel in customers. Dozens of lookalike sites including barclays-private.com and eurocitibank.com – neither of them anything to do with existing banks – were shut down, having been used to garner ID details for fraud.
‘But there is only so far that you can get with basic credit-card information,’ says Bevan. ‘What we’re seeing more and more of now is people moving into creating whole new identities loosely based on an existing person or completely from scratch.
‘Often it’s a case of searching around on the Internet and picking up bits of ID on the way. If you have someone’s name and account number, guessing the password to their online bank account is often relatively easy. People most often use their date of birth as their numerical password, and their mother’s maiden name – the most common security question – is printed on everyone’s birth certificate and you can get a copy of that for just a few pounds.
‘With this kind of information it then becomes easy to pretend to be someone else. You can call the automated bank service and transfer money from their account. You can set up a whole new account in the same name and, provided it is kept in credit for a few months, apply for loans and credit cards. When the bailiffs come knocking it is on the door of some ordinary Joe who never even knew his identity had been stolen.
‘The Internet has changed everything but not in the way many people think. The information available through online sources was always available. There is nothing available now that wasn’t available years ago. It’s just that gathering the information is now much faster. You can do in a day what used to take weeks.’
The net also offers a host of opportunities to obtain bogus documents. High-quality fake passports, driving licences and birth certificates are all relatively easy to come by online. For anyone willing to spend a short amount of time looking there is a range of websites where you can buy duplicate documents on literally anything. The sites are shut down regularly by the authorities but reappear elsewhere in another guise.
Identity theft is believed to be the fastest-growing crime in the world – worth an estimated £1.3 billion in the UK alone – and Mary is a master of it. Armed with nothing more than a few bits of paper she boasts that she can walk in anywhere and convince people that she is who she says she is.
‘The store cards are the best, especially in the run-up to Christmas when they’re really busy. Normally these sort of places are strict about the sort of ID you need to sign up, but they know for a fact that most of the people who go shopping had no intention of getting a card when they left home. That means they are a lot more flexible. If you’ve got a couple of utility bills and a credit card with your name on it, you’re away with up to two thousand pounds of instant credit. You just go from one shop to another, sign up in every one and max out your limit. I’ve spent more than twenty thousand pounds in the space of a few hours like that. You go for digital cameras, portable DVD players and laptop computers – stuff you can sell on. It’s easy.’
Stealing a whole new ID is a slow and intricate process. The starting point is to get hold of some form of identifying document such as a bank statement or utility bill, which will also provide a name and address. Such things are by no means difficult to come by. A survey by the Experian credit-reference agency found that two-thirds of local authorities around the country had a problem with ‘bin raiding’ and that it was getting worse. In a further analysis of four hundred domestic bins, the agency found that almost three out of four
contained a full name and address, four out of ten contained a credit-card number and expiry date linked to an individual, while one in five held a bank-account number and sort code alongside a name.
As well as earning money for themselves, identity thieves can cause havoc for the individuals whose details they steal. Credit can be rejected, bank accounts shut down and enormous debts run up all without the individual ever knowing. It can take years and cost literally thousands of pounds to put everything back in order.
In a bid to stamp out the problem, the Home Office has announced plans to introduce ID cards to the UK. But many fear that the cards themselves could become targets for ID theft. It would also mean that a thief would have to obtain only one item rather than a range of items to acquire absolute proof of identity. In the US, where ID is linked to one single point, a social-security number, there are now instances where identities are so thoroughly compromised that their true owners have to go so far as to declare themselves legally dead – a practice known as ‘pseudocide’.
Although identity theft mainly affects individuals, they are not the only targets for computer criminals. Finance companies and online banks are also being hit hard, often by hackers who threaten to cause havoc unless they receive substantial sums of money. Although such activity is believed to be commonplace, it rarely attracts publicity.
Soon after its launch in 2001 the police National High Tech Crime Unit commissioned NOP Research to survey leading organisations in the UK on hi-tech crime. The report confirmed what the police had known for some time – that businesses were reluctant to report online attacks to their systems because of concerns about their reputation with customers and shareholders.
Although almost all of the companies in the survey had experienced at least one incident of serious computer-related crime in the previous twelve months, only half had involved the police, typically where there was a need for an insurance claim or if a successful prosecution was likely. The police were usually a second choice to having outside security consultants fix the problems, and one in ten said they would not involve anyone outside the company at all. When Russian hacker Vladimir Levin tricked Citibank’s computers into paying out more than $10 million the bank was initially reluctant to allow the matter to become public, calculating that the media coverage would cost them even more in shares and customers.
Catching those working at the highest levels of high-tech organised crime calls for specialist skills and techniques. Security companies employ people to pose as hackers, hanging around in chatrooms and trying to pick up the latest gossip – hackers are notorious for their love of bragging. As well as being experts in computing many such operatives also have a background in psychology to enable them better to understand group behaviour and the mindset of those they are dealing with. They will create a series of net personae – up to twenty or more – which they use to gain the confidence of other hackers on the web. It is a long, slow process. It is not unknown for the teams to spend more than a year just listening in to conversations before they join in.
Although reports of successful hacks will be made to the police, the teams are far more concerned with prevention. Their Holy Grail is to get hold of a piece of computer code that a hacker is working on before he has a chance to try it out. This enables them to add preventive measures to the systems they are working on, ensuring their safety.
Similar techniques are now being employed to catch another group of computer-savvy criminals who do most of their work in Internet chatrooms: paedophiles. When I visited the offices of the Child Protection Command of the National High Tech Crime Unit at Scotland Yard, a nine-year-old girl, a twenty-seven-year-old stockbroker and a forty-eight-year-old geography teacher were quietly surfing the Internet. The girl was bored, lonely and looking for pen-pals; the stockbroker was looking to add to his collection of hardcore, sado-masochistic child pornography; while the teacher was looking for someone who shared his interest in sex with pre-pubescent blond boys. The girl was typing slowly, misspelling some words and abbreviating others. She made passing references to her favourite television programmes, complained about her lack of pocket money and told silly jokes.
In reality the girl, the stockbroker and the teacher were just some of the dozens of fictional characters created by the unit’s undercover officers.
‘Some of the paedophiles out there are the best hackers in the world,’ Detective Inspector Brian Ward told me. ‘They have the ability to examine the hard disk of someone online to check whether they are who they say they are.’
This means that if an officer is going to pose as a nine-year-old girl, he has to ensure that everything on the hard disk fits in with that. There will be certain types of music files, emails to and from friends about problems at school and home. All this information has to be created simply to ensure the deception is complete. Stacks of hard disks containing the different identities are spread around the room.
Child pornography – or, rather, the threat of it – also features in the latest crime to emerge from the growth of computer technology in the home and the office. Cyber blackmail is on the rise, with dozens of computer users receiving emails from criminals who threaten to delete essential computer files or install pornographic images on their work PCs unless they pay a ransom.
The extortion scam, which first emerged early in 2003, indiscriminately targets anyone on the corporate ladder with a PC connected to the Internet. It usually starts with a threatening email in which the author claims to have the power to take over a worker’s computer. It typically contains a demand that unless a small fee is paid – at first no more than twenty or thirty pounds – they will attack the PC with a file-wiping program or download on to the machine images of child pornography. As is the case with the 419 gangs, the scam works even if only a handful of the countless recipients follow through and pay up.
But high-tech crime doesn’t only revolve around the Internet. Former paramilitary gangs in Northern Ireland are using the latest computer technology to run a sophisticated, multi-million-pound counterfeiting and smuggling operation, whose tentacles reach across the globe. Forsaking politics for profit, loyalist and republican terror gangs have linked up with the likes of the Russian and Italian Mafia and the Chinese Triads to reap huge rewards from a wide variety of criminal activities. Up to a hundred criminal gangs are operating in Ulster and at least two-thirds are linked to the Provisional IRA, the Ulster Defence Association and other paramilitary organisations. The province has become a major UK hub for the sale and distribution of counterfeit goods, which is believed to have earned the gangs more than £150 million last year.
Law-enforcement agencies in Northern Ireland seize more counterfeit goods than all other UK police forces combined, but still believe they stop only five per cent of the total market. ‘Pubs, clubs and taxi firms who operate in districts influenced by paramilitary groups are known to facilitate a lucrative trade in counterfeit goods. Door-to-door sales are also undertaken. The most popular goods include clothes, computer games, DVDs, CDs and videos.’
Much of the counterfeit clothing is believed to originate from factories in the Leicester area, while a raid on a fair in Ballycastle last year was tracked back to an operation in Glasgow.
Counterfeit currency produced and printed in Northern Ireland has been discovered all over the world. In addition to copies of sterling – complete with watermarks and foil strips that only experts can tell from the real thing – the gangs are also producing dollars and euros. They make use of sophisticated scanners and digital cameras to take close-up photographs of real notes, then manipulate them electronically to allow them to be reproduced more accurately.
Customs officers have uncovered a trade in counterfeit cigarettes, made in factories in the Far East with only a minimal amount of tobacco and harmful fillers. Fake vodka, made from watered-down industrial alcohol, has also been found.
One up-and-coming development, straight out of the pages of a science-fiction novel but enough of
a reality to be a major cause for concern, is the development of so-called ‘cyber narcotics’. Rather than being taken orally or via injection, these digital stimulants would involve hooking up to a special machine that would then directly stimulate the pleasure centres of the brain. The technology is in the early stages of development but the FBI believes such products have the potential to be more addictive than heroin and cocaine. Furthermore, they could be transmitted across the Internet or using radiowaves, and could be taken without anyone ever needing to possess them.
Such products may still be some way off, but there is no doubt that the web is increasingly replacing pubs or nightclubs as the favourite criminal forum for exchanging useful information. The simplest of searches will produce dozens of sites dedicated to providing details and descriptions, often including the registration numbers, of unmarked police cars operating across the country. Many of the lists are compiled by youngsters employed by criminal gangs to stand outside their local police station and note every vehicle entering and leaving. Most experienced undercover officers now prefer to park their vehicles some distance away and walk to the station when attending briefings.
More sophisticated searches reveal the existence of sites where specific information about suspected police informants and the identity of officers working on covert operations is disclosed. The information is often found within anarchist sites alongside tips for manufacturing explosives, picking locks and creating false identities.
The largest and most sophisticated gangs now employ technicians and engineers, and subscribe to trade journals to keep up with developments in forensic and technological science, helping them counter the threat from law enforcers. They also have their homes and vehicles swept regularly for bugs following convictions in which police have gained crucial evidence after breaking into a suspect’s property and planting listening devices. These gangs keep up to date by sending representatives to court to listen to detailed evidence of how rival gangs were tracked down. Increasingly aware of this, the police will often seek a public-interest immunity certificate, or even drop a case rather than disclose the technology used to gather the information.