Scamming banks on the internet

Andrew Brown for Jane Taylor


The best definition of cyberspace was provided by John Perry Barlow, who did as much as anyone to popularise the term. "Itís where your money lives" he said. So if people rob banks because thatís where the money is, cyberspace is, increasingly, where they are going to try to do so. It is in the interests of neither the thieves nor their victims to publicise this fact. Only one really large scandal has ever come to light: the Russian Mafiaís assault on Citibank in the early Nineties, when Vladimir Levin, a sat Petersburg hacker, attempted to steal $10m by using stolen passwords. He had only managed a quarter of a million dollars before being arrested at Heathrow airport and, eventually, sentenced to three years by an American court. One of the rules seems to be that if you are good enough to break into a foreign bankís network, make sure that you are tried in your own country: another Russian, Pavel Sheyko, was sentenced by a Moscow court last year to five years suspended, for what the court described as bank swindling "on a particularly large scale."

There are glimpses of other moments: some years a back a teenage Israeli hacker penetrated the Visa network, and was given a very short sentence followed by a job in Mossad. It is probably safe to assume that governments do their best to penetrate banking networks, and that the has succeeded. Of course, they donít want to steal money themselves, but they would dearly love to know where stolen money goes. Certainly the long struggle of the Anglo-American intelligence establishment against strong cryptography unless you assume that much of their efforts are directed against companies as well as individual terrorists, drug dealers, paedophiles, and so on.

Such developments have alarmed the City so much that some lawyers there are seriously proposing a special savage legislative regime for electronic crijme, where offenders would be tried without any presumption of innocence or right of silence in courts that heard evidence in secret and never published the names of the victimised institutions.

The Internet certainly offers some elegant ways to launder money, though these demand acquiescent governments. Virtual Casinos can now be set up easily enough and accessed from anywhere in the world. The huge profits which can be expected from such things could certainly be swollen with all sorts of dirty money. The porn industry, too, is taking advantage of the chance for glo

Security on the Internet is generally understood as a problem for the consumer. The thieves are supposed to intercept money on its way to or from the banks. This does happen, but usually in ways which are a lot more prosaic than in the movies. Instead of a lone, spotty genius sitting at his keyboard, the most promising methods have involved ATM machines. People who leaver their receipts lying around are especially at risk, since these, like credit card receipts, contain account numbers. Given the equipment to program these account numbers onto a magnetic strip (and that, too is possible to obtain, all you need to raid accounts is the PIN number. In one recent case in the Netherlands, someone set up a hidden video camera to watch a card machine at a quiet petrol station, and film the customerís fingers as they tapped in their codes. This may not sound like high-tech crime, but any security is only as strong as its weakest links.

This form of crime is particularly disadvantageous for the consumer, because the banks are extremely reluctant ever to admit that there might be something wrong with their ATM networks, partly in order to discourage fraudulent claims, but also because the whole system depends to a surprising extent on confidence. Of course this means that if anyone can manage the difficult feat of defrauding ATM machines systematically, they will get away with it for longer than they might otherwise have done.

The real promise for fraud comes with the tremendous expansion of credit card use which the Internet seems certain to bring about. I myself have never worried very much about sending my credit card details over unencrypted email. One can be far more greatly embarrassed by love letters than by credit card numbers, because it is banks that bear the risks of credit card fraud. So most of the really successful scams we know about have relied on embarrassment. The most recent case involved a porn site in the Caribbean which told visitors that they could have thirty days free access, but they must first supply their credit card numbers. Yes, people are that stupid.

What gave the scam its distinctive flavour was that the fairly small sum involved, about $20.00, showed up on credit card statements as a payment to a clearly pornographic company. But this also meant that the story ended up as a theft on banks rather than customers, for some customers found it more embarrassing to admit to the bills than quietly to pay them, and so pursued the company until the perpetrators were identified, and the banks involved had to pay up what had been improperly billed.

The point of this is that the risks of internet banking, at any rate on the consumer level, are to a large extent the price which banks must pay in order to encourage the grown of e-commerce. The only really secure technologies for moving money around are also those which can make it anonymous; and a world in which all electronic money had the anonymity of cash would also be one in which it was impossible to collect taxes. No one wants that, and credit card fraud is part of the price we pay for functioning governments.