39 comments

[ 3.2 ms ] story [ 84.7 ms ] thread
> As for the hackers, they didn’t make much profit -- Oprea, the ring leader, made only $40,000. He paid a steep price for the estimated $12.5 million in losses inflicted on financial institutions

The article doesn't explain the discrepancy between the tiny earnings of the hackers and the enormous loss of the banks. Which one of these is it?:

1) The hackers lied and have millions stashed away some place?

2) The middlemen who buy the card data from the hackers and get mules to make fraudulent charges and withdrawals are the ones raking it in?

3) The banks are puffing up their losses in order to get tax deductions or make insurance claims, or maybe just to get the Secret Service interested enough in the case to do an investigation?

The banks can exaggerate their loss in all kinds of ways: including in the loss payments that they were able to later reverse, or including losses that were eaten by the merchants and not the bank, or including the salary of every member of their security and fraud department, etc.

Hmmm. Stashed in BTC or LTC?

Maybe one em gambled it all away.

Your second guess can account for a lot of the discrepancy. Stolen credit card records are sold for $1 or less by the original source. The real profit (and risk) is in the process of extracting value from the cards.
How do people manage to extract value from stolen credit cards without getting caught?

To me this is the most interesting part of the whole "hacking chain" and almost nobody can/wants to explain it... And it's also obvious that if law enforcement would concentrate on making this harder to do, the value of stolen cc numbers would very fast o low enough to make the hacker loose any incentive for doing this kind of thing.

You clone credit card (can be done with $10 worth of equipment), go to the store and buy something expensive. Sell it on craigslist or (if you are brazen) return for refund.

It's high risk process involving going to the store so most of the profits go to the mules. Credit card numbers are cheap - just a few dollars per card. There is black market for that stuff - you can google and find a bunch of articles about it.

Get behind 7 proxies and order stuff from online to a vacant house.
Judging by the Subway example which spent "5 millions $" to upgrade its "cyber security systems" (what?), almost any direct or indirect loss or cost incurred during or after the hacker attack can be imputed to the perpetrator. It's like if I have a weak entrance door and some thief enters and steals something then I can say that he caused me loses of millions because I had to upgrade all the doors in the house and hire detectives and a security company to guard me better from now on.
Portray them as victims if it helps your world view, but I will not lose any sleep over their fines that will never be repaid.
Trying to lay the bill for making your systems secure at the feet of the individual hackers who got into your systems seems wrong. I'm not arguing that what these guys did was legal or good or that they shouldn't be prosecuted, but something about that grates; it's an expense the company (should have) paid beforehand and these guys wouldn't have been able to do what they did.

If a system is on the internet, securing it is a cost that has to be born by the retailer.

They probably sold the cards in bulk to organized crime rings or the like, netting $40K. Those thugs then skim what they can from the cards that aren't locked and that's probably the majority of that $12.5 million.
Theft can destroy a lot more value than the goods themselves:

- stolen goods are hard to sell, and like others have mentioned credit cards are re-sold to others who make most of the profit

- even if there is a suspicion that a card has been stolen, it is often re-issued, causing a lot of operational cost even if it was not actually among those stolen

A lot of other options too like others have mentioned.

Credit card companies will usually refund fraud related charges, so while their consumers don't get affected, the banks do take the hit here.
(comment deleted)
> He paid a steep price for the estimated $12.5 million in losses inflicted on financial institutions and the $5 million Subway spent upgrading its cyber security systems.

Seems a bit silly to say they're annoyed that they had to spend money to upgrade their broken security.

Not really, these companies would be happy to have broken security as long as break ins didn't cost them money.

This is why network security is such a joke, most companies only do enough to mitigate the last disaster instead of designing a system that is actually secure.

Thomas, sounds like a possible new client or two.
I guess we should give up on trying to keep the definition of the word "Hacker" as "brilliant programmer and technical expert".

We can't continue going around calling ourselves "Criminals", and that when we do a brilliant piece of work on an intractable software problem that we really "Hacked" it together, meaning we broke the law to steal it and kept all the money for ourselves.

The word "Hacker" has got to go, it is the same as the word "Criminal", "Burglar" or "Felon" now.

> The word "Hacker" has got to go, it is the same as the word "Criminal", "Burglar" or "Felon" now.

Now? To the majority of the population, it has had that meaning since the 80s.

It's only in tech circles that people have insistent it has another meaning, but that is useless if the majority doesn't share that meaning.

That hardly makes it useless, it just mean you have to be cognizant of both meanings and who your audience is.
No. It was our word before they took it. I will continue to use hacker as it should be used and enlighten the clueless when needed.
(comment deleted)
15 years in prison for a 26 year old who made 40.000 USD by hacking and pleaded guilty? This is nothing more than a morbid joke. The justice system's goal is to rehabilitate, not obliterate one's future.
> 15 years in prison for a 26 year old

Why is his age relevant? Would you be OK with 15 years if he were 30? 50?

> who made 40.000 USD

Why is how much he made relevant, rather than how much he cost his victims?

If I steal millions in precious gems from you, but only sell them for hundreds, would you argue that my crime is only a misdemeanor?

I would make no such claim, however, 15 years is still too large a sentence. I believe that you can send enough of a message with a five year sentence.
Destroying someone's life for losing rich corporations some money, even if its through theft, is unconscionable.
Even having a sentence dependent on "how much he cost his victims" is very wrong imho. The sentence should only depend on how violent the crime was, how much effort was made to avoid being caught and how "malevolent" or carefully planned / premeditated it was. Maybe it should matter how much of the stolen money he actually spent (simply because money spent by a criminal tends to get into other criminals' hands and fuels crime by the process of being spent), or whether any company actually went out of business because of the losses, but even this stretches it quite a bit...

The value of money is relative. Stealing $100M from a hedge fund or a bank could have very little impact on society as a whole. Doing an armed robbery for $1K on the other hand is actually very dangerous because things can get easily out of hand and innocent people can easily get killed.

Now, whether the criminal stole the $100M by pointing a gun at someone's head or threatening to kill someone's family in exchange for some access codes, or he just "hacked" them, that tells you a lot about how dangerous the thief actually is to other people, what other crimes he would be capable of committing and whether he can actually be "rehabilitated" or not, and this is what the sentence should be based on.

(Yeah, I know this is not how the the US legal system works, and I get that there are current advantages to the way it works now, mainly being good-enough at deterring large scale white-collar crime, but still, I think it's just plain wrong...)

No, the justice system's goal is to keep the people who work for the justice system employed.

> The important thing in these cases isn't so much: How did they get in?” O’Neill said. “It's: Where did the data go?

Mhmm. No need to worry about the actual longstanding blatant flaws that allow for any of this. Let's just hope to catch some low hanging fruit with poor opsec so we can pretend that we're controlling the problem.

These problems could go away overnight if banks required more authentication than just an account number to withdraw money.

It kind of makes you wonder how many bad guys are getting away with these kinds of crimes.
Rehab is not the only possible goal of a justice system. Deterrence is another valid goal.
The system's goal is to prevent crime. Rehabilitation is one of the ways it tries to do this, but that is generally directed at people with socioeconomic or mental health issues. Someone who just decided they wanted to use their economically valuable skills to steal? What can be done to rehabilitate them?

See http://lawcomic.net/guide/?p=60 for more on the roles of punishment in the criminal justice system.

It's quite different from "real world stealing". For a hacker, he only steals information and sells it. The actual money is siphoned out further down the chain by the people that buy stolen cc numbers and actually milk them...

Most of these "hackers" are just stupid kids that think along the lines of "hey, I just stole these bits of data from there and then sold them to this other guy for profit". Some even do it simply for the "high", as an antidote for depression or other mental issues, they could probably make even more money by simply finding a decent job that matched their skills set.

These kids are 99% harmless to society because they would never commit any violent crimes like an armed robbery or even a purely financial crime that would involve directly stealing from someone they can identify. Now, put them in jail for XX years, maybe even parole them and force them to work for a lowest payed wage for gov agency ABC (cough, helping it spy on its own citizens, without the risk of "crying wolf" like ES did, cough) to keep their "conditional freedom" (though this probably only happens for the most skilled of them), and at the end of it you will have transformed them into pissed off anti-social criminals that are ripe to engage in real violent criminal activities or ripe for recruitment by teorist cells...

From society's point of view, this is like smoking harder in order to cure your lung cancer...

This is US prisons we're talking about. The US prison system is a business so they have a vested interest in keeping people in prison as long as possible in as shitty conditions as possible.
I like the photo of the Secret Service Agents using Google Maps.
It's interesting how these smart people can organize theft, but not a real business - seems like it would be easier and of course, less risky.

Also, the most impressive part was that the two hackers were able to actually get to the US :-) (unless they got their visas with some help from the FBI/Secret Service - can they do that?)

Running a real business requires actual hard work and determination... not just brains. Sometimes the technical brains don't even matter that much because you can hire them. Also, in most parts of the world entrepreneurship is a much harder "career" to pick and there are more bureaucratic hurdles and social friction. Keeping your lazy ass parked on a sofa while you steal some info that happens to be cc numbers and then sell them is much easier...

> Also, the most impressive part was that the two hackers were able to actually get to the US :-)

No, it's not. Travel visas are easy to get in US-friendly countries (Romania is much more US-friendly or "eager to kiss US ass" than most other European countries). Also, if you read on... "He took the traditional route with Oprea. The U.S. government sought the Romanian’s extradition. It worked". They could've done the same for the rest, the Romanian gov would have just handed them on a silver plate. Also, if they had been trialed in their country they would have most likely gotten similar sentences - $40k is not enough to safely bribe your way through the justice system and the prosecutors would have been either fair or most likely quite harsh on them. Maybe they were unsure they got all the evidence to effectively prosecute them in the US or most likely they just needed the elaborate phishing operation to make themselves look cool and get more funding for their department in the future, hence the excessive media coverage too, wasting tax payers money while jerking off with this role-play...

It's incredibly easy to catch stupid hackers in pro-US states, what they did could probably have been done by a smarter-than-average sysadmin helping a regular us police detective at 1% of the cost of all this "elaborate operation"...

EDIT+: My point is that the ss guys just picked themselves a few very low hanging fruits, got themselves excessive media coverage for it and spent way too much time and money on this.

opsec 0/10
Not really. DPR was a 0/10 or 1/10.

In this case the Secret Service agent wasn't even able to get a name on his guy until he called the Romanian white collar unit.

From what I can tell the people involved in this actually put some effort into hiding themselves. This seems more like a 3/10.

(comment deleted)