Approaching Zero, Paul Mungo [good summer reads TXT] 📗

break into the system to

take over a box or, better, a series of boxes. Security is often lax on

voicemail computers, with box numbers and passwords ridiculously easy to guess

by an experienced hacker. One of the methods has become known as finger

hacking: punching away on the telephone keypad trying groups of numbers until a

box and the appropriate password are found. Ideally, hackers look for unused

boxes. That way they can assign their own passwords and are less likely to be

detected. Failing that, though, they will simply annex an assigned box,

changing the password to lock out the real user.

 

VM boxes are more secure than hacker boards: the police, for a start, can’t

routinely monitor voicemail systems as they can boards, while hackers can

quickly move to new systems if they suspect the authorities of monitoring one

they are using. The messaging technology of voicemail systems lends itself to

passing on lists of codes. The code line is often the greeting message of the

hacker-controlled mailbox; in other words, instead of hearing the standard

“Hello, Mr. Smith is not in the office. Please leave a message,” hackers

calling in will hear the current list of stolen code numbers. In this manner,

only the hacker leaving the codes need know the box password. The other

hackers, those picking up the codes or leaving a message, only need to know the

box number.

 

It was ultimately a voicemail computer that led the authorities to

Doucette. On February 9, 1989, the president of a real estate company in

Rolling Meadow, Illinois, contacted the U.S. Secret Service office in Chicago.

His voicemail computer, he complained, had been overrun by hackers.

 

The harassed real estate man became known as Source 1. On February 1 5th, two

Secret Service agents—William “Fred” Moore and Bill Tebbe—drove from Chicago

to the realtor’s office to interview him. They found a man beset by unwanted

intruders.

 

The company had installed its voicemail system in the autumn of 1988. The box

numbers and passwords were personally assigned by the company president.

While the 1-800 number to access the system was published, he insisted that

the passwords were known only to himself and to the individual box users.

 

In November 1988, during an ordinary review of the traffic on the system, he

had been startled to discover a number of unexplained messages. He had no idea

what they were about or who they were for; he thought they could have been

left in error.

 

However, the number of “errors” had grown throughout November and December. By

January 1989 the “errors” had become so frequent that they overwhelmed the

system, taking over almost all of the voicemail computer’s memory and wiping

out messages for the company’s business.

 

The Secret Service recorded the messages over a period from late February to

March. Listening to the tapes, they realized they were dealing with a code

line.

 

The law on access devices prohibits the unauthorized possession of fifteen or

more of such codes, or the swapping or sale of the codes “with an intent to

defraud.” (Fraud is defined as a $1,000 loss to the victim or profit to the

violator.) On the tapes, the agents could identify 130 devices that were

trafficked by the various unknown callers. They also heard the voice of a woman

who identified herself alternatively as “Kyrie” or “long-distance information.”

 

It seemed as if she was running the code line, so they decided to focus the

investigation on her.

 

In March security officials from MCI, the long-distance telephone company, told

the Secret Service that Canadian Bell believed “Kyrie” to be an alias of Leslie

Lynne Doucette, a Canadian citizen who had been hacking for six or seven years.

 

In March 1987 Doucette had been convicted of telecommunications fraud in Canada

and sentenced to ninety days’ imprisonment with two years’ probation. She had

been charged with running a code line and trafficking stolen access codes.

Subsequently, the Canadians reported, Doucette had left the country with her

two children.

 

Later that month an MCI operative, Tom Schutz, told Moore that an informant had

passed on the word that a well-known hacker named Kyrie had just moved from the

West Coast to the Chicago area. The informant, Schutz said, had overheard the

information on a hacker “bridge” (a conference call). At the beginning of April

an MCI security officer, Sue Walsh, received information from another informant

that Kyrie had a Chicago telephone number.

 

By mid-month, Moore was able to get court authorization to attach a

dialed-number recorder (DNR), to Doucette’s phone. A DNR monitors outgoing

calls, recording the number accessed and any codes used. From the surveillance,

agents were able to detect a large volume of calls to various voicemail

systems and PBX networks.

 

The authorities traced the other compromised voicemail systems to Long Beach,

California, and Mobile, Alabama. They discovered that Kyrie was operating code

lines on both networks. It’s not unusual for hackers to work more than one

system; sometimes Hacker A will leave codes for Hacker B on a voicemail

computer in, say, Florida, while Hacker B might leave his messages for Hacker A

on a system in New York. By rotating through voicemail computers in different

states, hackers ensure that local law enforcement officials who stumble upon

their activities see only part of the picture.

 

The agents also realized that Kyrie was running a gang. From other sources they

heard tapes on which she gave tutorials to neophyte hackers on the techniques

of credit card fraud. Over the period of the investigation they identified 152

separate contacts from all over the country, all used as sources for stolen

codes. Of the gang, the agents noted seven in particular, whom they identified

as “major hackers” within the ring: Little Silence in Los Angeles; the

ironically named FBI Agent in Michigan; Outsider, also in Michigan; Stingray

from Massachusetts; EG in Columbus, Ohio; Navoronne, also from Columbus; and

Game Warden in Georgia.4 DNRs were also attached to their telephones.

 

The agents assigned to the case described the group, imaginatively, as “a

high-tech street gang.” By then the Secret Service had turned the enquiry into

a nationwide investigation involving the FBI, the Illinois State Police, the

Arizona Attorney General’s Office, the Chicago Police Department, the Columbus

(Ohio) Police Department, the Cobb County (Georgia) Sherifrs Office, the Royal

Canadian Mounted Police, and the Ontario Provincial Police. Security agents

from MCI, Sprint, AT&T, and nine Bell phone companies provided technical

assistance.

 

On May 24th the Secret Service asked local authorities in six cities for

assistance to mount raids on Doucette’s Chicago apartment and the addresses of

the five other major hackers in the ring. Prior to the raids the authorities

compiled a list of equipment that was to be seized: telephones and

speed-dialing devices; computers and peripherals; diskettes; cassette tapes;

videotapes; records and documents; computer or data-processing literature;

bills, letters invoices, or any other material relating to occupancy; information pertaining to access device codes; and “degaussing” equipment.

 

The raid on Doucette’s Chicago apartment produced a lode of access codes. Moore

found a book listing the numbers for 171 AT&T, ITT, and other telephone cards,

as well as authorization codes for 39 PBXs. In addition, the agents found

numbers for 118 Visa cards, 150 MasterCards, and 2 American Express cards.

 

Doucette admitted that she was Kyrie. Later in the Secret Service offices, she

confessed to operating code lines, trafficking stolen numbers, and receiving

unauthorized Western Union money orders. She was held in custody without bond

and indicted on seventeen counts of violating rederal computer, access device,

and telecom fraud laws between January 1988 and May 1989.

 

Estimates of the costs of Doucette’s activities varied. On the day of her

arrest, she was accused of causing “$200,000 in losses … by corporations

and telephone service providers.” Later it was announced that “substantially

more than $1.6 million in losses were suffered” by credit card companies and

telephone carriers.

 

Doucette’s was a high-profile arrest, the first federal prosecution for hacking

voicemail systems and trafficking in access devices. The prosecution was

determined that she would be made an example of; her case, the authorities

said, would reflect “a new reality for hackers” in the 1990s—the certainty of

“meaningful punishment.” If convicted of all charges, Doucette faced eightynine

years’ imprisonment, a $69,000 fine, and $1.6 million in restitution charges.

 

The case was plea-bargained. Doucette admitted to one count; the other charges

were dismissed. On August 17, 1990, Doucette, then aged thirty-six, was

sentenced to twentyseven months in prison. It was one of the most severe

sentences ever given to a computer hacker in the United States.

 

Willie Sutton, a U.S. gangster, was once asked why he robbed banks. “Because

that’s where the money is,” he replied.

 

Little has changed; banks still have the money. Only the means of robbing them

have become more numerous. Modern banks are dependent on computer technology,

creating new opportunities for fraud and high-tech bank robbery.

 

Probably the best-known story about modern-day bank fraud involves the

computation of “rounded-off” interest payments. A bank employee noticed that

the quarterly interest payments on the millions of savings accounts held by the

bank were worked out to four decimal points, then rounded up or down. Anything

above .0075 of a dollar was rounded up to the next penny and paid to the

customer; anything below that was rounded down and kept by the bank. In other

words, anything up to three quarters of a cent in earned interest on millions

of accounts was going back into the bank’s coffers.

 

Interest earned by bank customers was calculated and credited by computer. So

it would be a simple matter for an employee to write a program amending the

process: instead of the roundeddown interest going back to the bank, it could

all be amalgamated in one account, to which the employee alone had access. Over

the two or three years that such a scam was said to have been operational, an

employee was supposed to have grossed millions, even billions, of dollars.

 

The story is an urban legend that has been told for years and accepted by many,

but there has not been a single documented case. However, it certainly could be

true: banks’ dependence on computers has made fraud easier to commit and harder

to detect. Computers are impersonal, their procedures faster and more anonymous

than paper-based transactions. They can move

money around the world in microseconds, and accounts can effortlessly be

created and hidden from a computer keyboard.

 

Like any corporate fraud, most bank fraud is committed by insiders, employees

with access to codes and procedures who can create a “paper trail” justifying a

transaction. In such cases the fraud is not really different from illegal

transactions carried out in the quill-pen era: the use of a computer has simply

mechanized such fraud and made it more difficult to track.

 

The new threat to banks comes from hackers. In addition to the familiar duo of

the bank robber and the criminal employee—the one bashing through the front

door with a shotgun, the other sitting in the back room quietly cooking the

books—banks now face a third security risk: the adolescent hacker with a PC, a

modem, and the ability to access the bank’s computers from a remote site.

Unlike traditional bank robbers, hackers don’t come through the front door:

they sneak in through the bank’s own computer access ports, then roam unseen

through the systems, looking for vulnerable areas. Unlike crooked employees,

hackers aren’t a physical presence: they remain unseen and undetected until

it’s too late.

 

Though banks spend millions protecting their computer systems from intruders,

they aren’t necessarily that secure. Bank employees, particularly those who

work in dealing rooms, are notorious for using the most obvious passwords,

generally those that reflect their own ambitions: Porsche