Q&A with Byron Acohido on "Zero Day Threat" identity theft book

Identity theft is grabbing headlines just about every day. I’ve had my own identity stolen more than once and so I can believe the stats that suggest 8 million Americans a year are being targeted by cybercriminals who steal identities to perpetrate credit card fraud and other scams. Byron Acohido and Jon Swartz, both business reporters at USA Today, have been covering this topic for years. Now they’re written a book on the topic, “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity,” (Union Square Press, 2008). As the subtitle suggests, these journalists make the controversial case that our banking and credit card system is failing to protect consumers and has little motivation to do anything about it. You can bet there are plenty of start-up opportunities in addressing this problem. Here is a Q&A with Acohido. (The book blog is here).

Q: The book is well-researched. But it’s hard to swallow the thesis. You almost suggest collusion between credit card companies and criminal hackers, as if they are in league together against consumers. That sounds ridiculous. But what convinces you this is the case?

Corporate America is colluding with cyber crooks in this sense: Banks, merchants, media companies and tech companies are completely committed to porting commerce wholesale to the Internet. Yet the Internet was never intended to be a secure transactions network. The deeper Corporate America embraces Web 2.0, the more doors and windows it is opening for very focused, profit-minded crime groups. Lost in this dynamic is any sort of substantive due diligence concerning the risk and exposure that befalls the average consumer.

Here we are in April 2008 writing news stories about how hackers are using fuzzing tools to find zero-day security holes in Microsoft Office, Apple iTunes, JavaScript and other popular applications. We have a story coming out this week about the scaling up of cross-site scripting attacks, taking aim at big-name news, shopping and university web sites. This is the same type of attack described in our book that corrupted the Miami Dolphin Stadium web site and allowed a hacker named Samy to infect 1 million MySpace users.

byronsmall2.jpgQ: Can you describe your own backgrounds?

I started in 1977 as a local news reporter; covered city hall, cops and prisons, and in 1985 became a business reporter. I spent 13 years covering aerospace and Boeing for the Seattle Times [Editor's note: Acohido won a Pulitzer Prize for his coverage of Boeing] and then joined USA Today in December 2000, at which point I began covering technology and Microsoft. Jon Swartz covered tech for trade pubs before becoming a tech reporter for the San Francisco Chronicle in 1996. He joined USA Today in May 2000 to cover technology. We both continue to cover tech for USA Today.

Q: When did the two of you start covering hackers and identity theft?

The summer of 2003. The MS Blast worm, which was to open back doors on 25 million PCs, caught my attention. Jon was drilling down at the time on the onslaught of spam. It seemed to make sense that viruses and spam were somehow related. But no one at the time was explicitly connecting the dots. So we teamed up to see if we could document the convergence, if any.

Q: What were some of the bigger stories you worked on?

From 2004 through 2007 we collaborated on something like 150 news and feature stories and a dozen or so investigative cover stories on Internet security. The shorter pieces allowed us to build expertise and cultivate sources, and lay the groundwork for the longer cover stories. We were the first mainstream media reporters to explain botnets; this was back in July 2004. We exposed how banks and tech companies made things easier for cyber crooks. Our cover story on reshipping mules was later done by Dateline’s Chris Hansen. And our cover story about how a cell of Edmonton meth addicts was able to plug into the global cyber crime machinery became the kernel of our book.

Q: The anecdotes about the life of the criminal hackers is very detailed. How much time did you spend with them?

bevmotelsox_1.jpgI made three trips to Canada to piece together the activities of the Edmonton cell. Jon traveled to Grass Valley, Sacramento and L.A., as well as North Carolina, Pittsburgh and Miami to report on criminals and victims. In addition, we both communicated extensively via phone, email, IM, ICQ, chat rooms and forums with our various sources. (pictured: hacker named Socrates standing outside a Canadian motel where he had been arrested once).

Q: You draw connections between criminal hackers and meth addicts. Please describe it. The book keeps coming back to the story of some addicts.

One of our goals was to show how the cyber crime economy is driven by capitalist principals and entrepreneurship. Add an accelerant like meth, and things can scale up pretty quickly, and just as quickly spin out of control. We wanted to show that story in microcosm, as a way to convey the bigger picture. We discovered that the kind of quick, anonymous partnerships the Edmonton meth addicts set up so profitably—before flaming out so spectacularly—also were at the core of highly organized, large scale scams. That’s where the TJX data breach of 94 million credit card records—and the quick distribution of that data to street cells in Miami and elsewhere–ties in.

Q: Hacking crimes have always been around. When did identity theft and hacking become an alarming problem?

Two dates come to mind. The first is January 2003, with the release of the SoBig A email virus. That was the first really stunning example of serious R&D effort going into developing a purely for-profit virus. The second is April 2004, with Sven Jaschan’s release of the Sasser worm. We argue in the book that Sven, with his vigilante bent, is the last of the bragging-rights type of hacker. After Sven and Sasser, the for-profit motive becomes paramount.

Q: Do you believe major criminal enterprises are behind identity theft now?

Absolutely. If you think of cyber crime as a fast-flowing $200 billion-a-year river, you basically have script kiddies and novice scammers splashing in the shallows, grabbing law enforcement attention. But out in the deeper running water you have the elite hackers creating zero-day viruses, running massive botnets, like Storm, and operating bullet-proof hosting services, like the Russian Business Network. These heavyweights operate like Al Capone at the height of the Prohibition. But there is no Elliott Ness on the horizon to slow them down.
Q: Clearly, you have shown that credit card companies and others could do more to prevent identity theft. What do you suggest?

One of the credit card companies main initiatives is to push the burden onto merchants to be more diligent about encrypting credit card data. This is called the Payment Card Industry Data Security Standard, or PCI DSS. But PCI DSS has a major shortcoming. Hackers are now planting data stealing programs on internal servers that collect store data on the way to being encrypted. That’s apparently what happened at 300 Hannaford Brothers grocery stores that were PCI-compliant, but still lost 4.5 million customer records. To slow down cyber crime, something more fundamental has to change. It seems to us that the solution has to somehow involve slowing down the speed built into the credit issuing system, which has now been ported to the Internet. But this means a reduction in consumer convenience, and slower growth in banks’ profits. So it’s a tough nut.

Q: What are your predictions about the future of cybercrime?

So much of our sensitive data has already been harvested that it’s mind boggling. Attritition.org, a terrific open-source index of reported data breaches, shows reported data loss cases tripled in 2007, with little sign of slowing so far in 2008. It’s pretty clear that major cyber crime groups are going to continue to expand their operations with impunity for the foreseeable future.

Q: Given that, how should consumers change their own behavior?

Reduce your digital footprint. Make sure your anti-virus subscription is current. Make certain all software updates are current, not just from Microsoft, but from Apple, Adobe, Mozilla, Java, Sun, Oracle, any software vendor whose products reside on your hard drive. Track your credit card statements like a hawk. Never type your Social Security number or your debit card number in an email or at a web site. Be extremely judicious about doing any online banking or online stock trading. Be ultra cautious about clicking on any attachment or web link in an email, IM or text message, or on a web site, even if sent from a trusted sources or posted on a familiar web site.

If and when you do become an identity theft victim, speak out! Don’t just passively accept reimbursement and a new account number from the bank. Realize that if the bad guys have your name and that account number, they likely have other data. Complain loudly to the financial institution for exposing you to that risk. Take you business elsewhere. Report the theft to local police and your state attorney general. Contact your state and federal lawmakers and demand more oversight of how banks and credit bureaus handle your sensitive data.

blog comments powered by Disqus