Paul McNamara: Mum’s often the word when criminals come a-callin’

Listen to Kevin Mandia describe the misery visited upon his company’s clients by criminal hackers – real criminals, not mischief makers – and you can’t help but come away shaking your head.

You also can’t help but wonder about the business ethics of some of those clients, but I’m getting ahead of myself.

Mandia is director of computer forensics at Foundstone Inc. in Mission Viejo, Calif., a security outfit that helps big-name corporate clients “prevent, respond to and resolve enterprise security issues.” He told an audience at last week’s CyberCrime 2003 Conference in Mashantucket, Conn. that “the threat today is worse than ever” and that most criminal hackers are overseas – in particular, the former Soviet Union – where they are so immune from law enforcement that some make no effort to conceal their identities.

Credit card numbers and hard goods are the most sought after plunder, but an increasingly popular fall-back position has become extorting cash from compromised companies, or, as Mandia calls them, “the folks most loath to say ‘We have a computer security problem.'”

How reluctant are victims to admit they’ve been had?

Mandia told of one company that lost US$5 million worth of hardware to an online scam, yet didn’t even confess the loss to its board of directors. Another’s IT department waited 27 days from when an extortion e-mail arrived to even notify the company’s top executives.

Mum’s the word, all right, which isn’t good news for consumers.

Mandia recounted a case where the victimized company’s lawyer suggested individual notification of what was believed to be 17,000 customers whose credit card numbers had been compromised. When Mandia cautioned that a closer look at the breach might reveal a broader problem – perhaps 500,000 lost numbers – and necessitate a blanket public notification, the company rethought the matter.

“I heard the general counsel say the following semi-compelling argument: He said there is nothing our clients could do to prevent the identity theft [they might suffer as a result of the breach],” Mandia said. “They aren’t going to change their name, they aren’t going to move, and they can’t change their mother’s maiden name. So, risk vs. reward, we lose more by telling them than they could gain if we tell them.”

Sure sounds like something a lawyer might say. And they didn’t tell anyone.

“Weeks later I thought about it, and there is something [a credit-card holder] can do,” Mandia continued. “You can start calling credit agencies and get reports and find out if there are four new Visa cards in your name. . . . They didn’t consider that.”

Financial institutions are required to report stolen credit card data but your run-of-the-mill e-commerce site is not, Mandia said, or at least there are differences of opinion as to what the law requires. This leads to self-serving rationalizations such as: “Until the cards are used, let’s not report it to anyone.”

As for the extortionists, they’re laughing all the way to the bank.

“They’re extorting you with real bank accounts,” Mandia said. “[Their e-mails read] ‘Here is my bank account. Please transfer the money here.’ So there’s no real mystery as to who is behind this. The other weird way of looking at this is that once you get extorted, that’s the good news: It means they didn’t get credit card numbers from you and they can’t fraudulently purchase anything from you.”

And there’s even more “good” news: Extortion payments are negotiable, according to Mandia. Companies are getting off the hook for as little as a few hundred dollars. One extortionist even asked, “What fee do you think is reasonable?”

Finally, Mandia said about half the cases he’s privy to ended in quiet payments and that he hadn’t heard of a single instance where the extortionist came back for more.

Who said there’s no honour among thieves?

Columnists don’t hide either. The address is