American consumers fall prey to privacy thieves with little available to protect them from these modern brigands. Distinguished by status and motivation, there are four tribes of cyber thieves – money-seeking criminals, hacktivist autocrats, aggressive nation states (notably Russia, Iran, the Koreas and China), and US government employees.
Ordinary privacy criminals go where the money is. They monetize stolen personally identifiable information (PID) by fraudulently using stolen charge numbers and associated pins. More ambitious thieves convert stolen PID into a wallet of well documented identity credentials, a foundation for larger scale theft such as new loans and credit cards. Fortunately, stolen PID has a short shelf life because the thief can be found through credit reports, or the police can discover the crime retrospectively when the criminal is arrested for other actions.
Carberp is the name of software originating in Ukraine/Russia. It steals PID banking information and quickly makes cash available from ATMs. The software was offered for lease at $40,000/month, but has since been released freely on the web. Allegedly, Silk Road supported PID exchanges as did DarkMarket, a highly organized criminal exchange was also shut down by law enforcement. Avoid searching for “carding forum,” where the resulting links are NOT likely to be safe. It will probably take you to other PID crime organizations, viruses or worm booby traps.
Known as hacktivists, Anonymous, WikiLeaks , LulzSec and other cause-obsessed autocrats seek media attention by punishing victims with cyberattacks (defacing websites, launching denial of service attacks, stealing PIDs, or releasing “secrets”). However, they are less interested in monetizing their crimes than in gaining sympathetic coverage of their political philosophy (e.g., freedom of information or opposition to digital piracy laws). In this regard, victims of their PID theft are just collateral damage.
Recently, there has been a rash of banking cyberattacks in the US that are believed to be of Russian origin. Chinese and Iranian hackers have generally not gone after PID. The bank attacks were more about planting Trojan viruses for future use than attempting to harvest PID right away. It is possible the bank cyberattacks are genuinely after PID but they might be a Kremlin sanctioned tactic. Animosity has risen between the US and Vladimir Putin over Russian behaviors in Ukraine, Syria, and Crimea. If the attacks were politically motivated, the right electronic command from Russia at a future date could cause havoc in our financial system. ISIL could create a similar exposure in the US.
In the US, massive leaks about NSA and FBI monitoring have forced Americans to judge whether the government’s wholesale seizure of their privacy is worth the additional protection from foreign threats that information might provide. Each of us will make our own decision and it may change over time.
Those who decide the loss of privacy is more valuable than the marginal security it buys have few ways to change government’s behavior. Politicians may fleetingly side with “more privacy” but too often that sentiment evaporates as it is dragged down a FISA rabbit hole, where plain truth is redacted, explorers are blindfolded and whistleblowers are gagged. In the main, elected officials have gone AWOL on the topic. Ordinary Americans cannot overpower DOJ’s deep litigation budget and our court system’s arrogant secrecy.
When we see Twitter suing the government – merely to tell the truth, we are watching privacy wither. Privacy may soon become a quaint memory of a right that most of us cherished.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research