From the late 1990s to the mid-00s, a silent crime wave sucked billions out of banks, compromised personal privacy on a wholesale scale and exposed weaknesses in the information technology bedrock of the United States’ national security. Now there’s a window into an underworld where PIN numbers, CCV codes, passwords, Social Security numbers and answers to security questions (“Where was your mother born?”) are auctioned off like lawn dwarves on eBay.
The infuriating banality of it all is that after your only debit card was deactivated on a Dominican Republic vacation when you used the resort’s ATM (yeah, that happened to me), after a Russian or Ukrainian or American thief sold your MasterCard number and expiration date for $20, some coked-up chickie bought a Louis Vuitton purse with it at a Costa Mesa mall.
Cybercriminal-turned-technology journalist Kevin Poulsen probed the depths of the hacker underground—as only one who’s been there /done that can—in an epic cyberthriller released this month, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. (Crown).
More infuriating than that coke tramp charging up your credit limit—or the ethically challenged nerd selling your mom’s birthday—is the expedient decision by some suit driven to work at a Manhattan skyscraper in a Town Car to save a few bucks at your expense.
“That’s a loaded question,” Poulsen said this week, when I asked him whether security has improved since the Internet’s cow-roping days, the first decade-and-a-half A. B. (After Browser).
“The financial institutions made a decision that the cost of fraud is acceptable. They decided against replacing the magnetic strip with a chip and a PIN because it would be too expensive,” Paulsen said.
Kind of makes Joe Cardholder want to take up hacking card processors when he hears that. And the Feds seemed to have thrown down the sandbags for banks that were too lazy or cheap to follow their own procedures. You know those three- and four-digit codes that ecommerce merchants ask you for every time you buy some hand cream from an 800 number? Turns out that they weren’t even checking them, according to Poulsen’s brilliant hardcover. Which left a security hole big enough to drive a made-for-screen-rights plot line through.
Still, it’s a crime to steal or trespass, even if the garage door’s open, and no matter how dumb or negligent the victim. Kingpin sketches a pitched battle between the colorful hacker worlds and the modern day J. Edgar Hoovers who chase, arrest and jail them.
Poulsen’s new book focuses on Vision’s two non-trivial brushes with the law. Poulsen covered Max Butler aka Max Vision’s first trial at the Federal Courthouse in San Jose in 2000. “Max was based in the South Bay and came to fame as a security researcher and was one of the good guys” until he hacked into a string of Department of Defense computers and left notes advising system administrators of their servers’ vulnerabilities. Poulsen says he attended the proceedings “not having a hint of where his life was going to go later.” The author says that the fact that Butler “threw it all away in a whimsical attempt fascinated me.”
Poulsen himself had tossed a career with SRI to the wind and in 1995 was sentenced by a federal judge in San Jose to the longest sentence ever given up until that point for cracking into computer systems. Poulsen today works as a senior editor at Wired News, focused on cybercrime, privacy, defense matters and politics.
Poulsen says he own experiences “lent perspective” to his yarns about Vision’s escapades and acknowledges that he had “more technical background than the average reporter,” which lent depth and authenticity to his account.
Poulsen had also bumped into FBI agent J. Keith Mularski, whom he later learned was running a sting server for “carders” who bought and vended illegal credit card numbers. “I chatted informally with him for a few minutes. When I wrote the book, I had a face to go with the name. He was the last guy who I thought would be Master Splynter,” the online handle for the profanity-spouting administrator of the DarkMarket cybercrime website. “I had no hint at all that he was undercover and running it. He was pretty slick.”
Vision was crafty as well. “He had hacked into DarkMarket and figured out that the administrator was a fed.”
It was a well-matched battle, but justice won in the end. The hackers “outmatched the government technically,” Poulsen says. “But the government was good at building a case bit by bit.”
According to Poulsen, Vision “was caught with 1.8 million stolen credit card numbers belonging to a thousand different banks, who tallied the fraudulent charges on the cards at $86.4 million.” He was sentenced in February 2010 to a record 13-year sentence and ordered to pay $27.5 million in restitution.
Poulsen thinks that institutions have improved their security since the easy hacking days, but that governments won’t be able to wrest total control back from the forces that have democratized technology. “I don’t think we’ll see a re-aggregation of power. I think it’s going the other way. I mean we’ve seen the role that social networking played in the Middle East uprisings.
“The Internet is proving to be literally revolutionary.”
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground; By Kevin Poulsen; Crown; 288 pages; $25 hardback