July 13, 2004

Conducting blackmail with private payment systems - Daft!

I must have written a hundred times that privacy enhancing payments are only private to a degree. From eCash to Ricardo to e-gold to PayPal to greenbacks to ... well, all of them can be tracked somewhat. They help protect honest people from bad trackers, but they don't protect real serious criminals from serious sustained levels of tracking.

In a sort of Darwin award for criminals, here's the story of a major heist that went wrong, because the crooks believed they could use a privacy-based payment system to get their ill-gotten gains. Oh well, no great loss to society here.


(one section quoted from the interview)

What kinds of Internet crimes are the most dangerous at the moment? Can you explain them? What can you say about blackmail?

Spread of computer viruses, plastic card frauds, theft of money from bank accounts, theft of computer information and violation of operation rules of computer systems are among the most dangerous offences on the Internet. In order to get one million of UAH (about $185-190 thousand) certain people phoned director of Odessa Airport, Ukraine and informed that they had placed an explosive device on board of a plane flying for Vienna and they also had blown up a bomb in the building opposite to the airport building to confirm their serious intentions.

The Security Service of Ukraine and the Air Security Office were informed of the accident right away. Criminals put detailed instructions on fulfillment of their requirements on the Internet. The main demand was one million of UAH. Criminals planned to use Privatbank's "Privat-24" Internet payment system to get the money. The useful feature for criminals in that case was that this system allowed anonymous creation and control over an account knowing only login and password. Therefore they used the Internet to secure anonymous and remote distribution of their threats and receipt of money.

Besides typical operational measures, there was a need to operationally establish data on technical information in computer networks as criminals used the Internet at all stages of their criminal offence. The Security Service decided to engage experts of a unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs. They were committed to establish senders of threat e-mails and the initiators of bank payments.

The response of ISP and the information they provided helped to determine phone numbers and addresses related to criminals, and also allowed to get firm evidences stored in log data bases of ISP and Privatbank.

Logs allowed to find out IP addresses of computers, e-mails and phones that helped to review concrete computers at the scenes.

The chronicle of events proves that prompt and qualified aid, provided by the unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs in January 2002, to officers of departments fighting terrorist and protecting state organization at Security Service allowed to reveal a criminal group, to prevent their criminal activity, and thus to give due to cyber terrorists.

Posted by iang at July 13, 2004 11:03 AM | TrackBack

Not in and of themselves and certainly not until they have reached a scale that allow serious criminals to hide in plain sight. The problem for blackmailers has always been one of finally getting your hands on the money without discovery.

The closest I have seen someone come to doing this is the guy who had the victim deposit money in their ATM -accessible account and then told them to scan the magstip data from the ATM card and send it to him. This card cloning approach is similar to what some card thieves use. Only insecure communication channels revealed his whereabouts and led to his arrest. Otherwise, use of the magstrip is inspired and sure to be successfully repeated in the future.

For the less criminally minded this magstip ploy can enable pseudo anonymous ATM card acquisition and use from cooperating bank account/card suppliers, especially those offering e-gold and other e-currency funding. If the card agent is inclined to send the magstip data to the client in an encrypted form it could offer substantial privacy. Do banking regulations need physical delivery of cards by agents in order to adhere to know-your-customer requirements? If not, then simply 'borrowing' the identity of someone else may suffice for establishing and using accounts.


Posted by: Steve Schear at July 19, 2004 07:35 PM