The New Outlaws: Cybercriminals

In one of my columns for the Tennessee Bar Journal, I featured good, old-fashioned bank robbers, both real and Hollywood-made. Men and women who pulled pistols on bankers and made off with the cash, either on horseback or Model-T, make for good pulp fiction and some bad TV, but they were not nearly so insidious as the new cybercriminals.

These bad guys, often perpetrating their crimes from thousands of miles away, don’t have to say “stick ‘em up” to get their prizes. One recent bank heist that netted more than $45 million has been the stuff of cyber-geek legend. The Associated Press reported in May 2013, that a small team of “highly skilled hackers penetrated bank systems, erased withdrawal limits on prepaid debit cards and stole account numbers.” Seven people were arrested in this country, accused of operating a New York cell of what prosecutors said was “a network that carried out theft at ATMs in 27 countries from Canada to Russia.” More than a dozen countries were involved in the investigation, which was led by the United States Secret Service.

Cybercrime blogger Willie Jones posted on July 26, 2013, that the “idea that cybercrimes are the work of miscreants or gangs of hackers picking targets at random is outmoded.” The criminal underground has learned that it’s easier to hack into a bank than it is to break into it.

Banks and their customers share in the responsibility to combat this invisible crime. Banks are required to have fraud detection systems. They undergo comprehensive examinations by their state and federal banking regulators that are designed to detect weaknesses in their systems. Nevertheless, hacking still happens, sometimes because of customer carelessness. While the bank’s malware protections are typically good, often customers do not have the same sophisticated protections on their own computers. In one recent case, a bank customer’s employee took work home and used her personal computer to enter data. That system was hacked, sending what appeared to be a legitimate message to the bank to make transfers. Before it was caught, thousands of dollars were out the window and on their way to Russia.

The Federal Trade Commission requires financial institutions and certain other companies that may be creditors to implement written identity theft prevention programs designed to detect the warning signs — or red flags — of identity theft. We all understand what a financial institution is, but the Red Flags Rule applies to any business or organization that regularly provides goods or services first and allows customers to pay later. The Red Flags Rule, found at www.ftc.gov/redflagsrule, sets out the circumstances under which a business must establish a written identity theft prevention program.[1] Simply put, a business must have the written program if it has “covered accounts,” defined as either (i) consumer accounts designed to permit multiple payments or transactions, or (ii) any other account that presents a reasonably foreseeable risk from identify theft.

If a financial institution or other business covered by the Fed Flags Rule discovers a breach of data security or even a possible breach, the FTC regulation sets out remedial protocols, including notice to affected customers of the possibility of breach. While situations may differ, the following are examples of appropriate responses depending on the circumstance:

  • Monitoring a covered account for evidence of identity theft
  • Contacting the customer
  • Changing passwords, security codes or other ways to access a covered account
  • Closing an existing account
  • Reopening an account with a new account number
  • Not opening a new account
  • Not trying to collect on an account or not selling an account to a debt collector
  • Notifying law enforcement
  • Offering the affected customer(s) identity theft insurance for a period of time
  • Determining that no response is warranted under the particular circumstance.

Many years ago now, one of my son’s so-called friends allegedly swiped my credit cards and proceeded to run up bills. I tell people that two positive things happened next: I disposed of all of my credit cards except American Express (which I never leave home without), and I met a cute cop. That identity theft was pretty easy to curb, but cybercrime can be devastating. In more recent times, I was notified by Macy’s that someone in the Bronx had tried to use my AmEx card number to purchase a full set of living room furniture, and while it may be that I could use a make-over at home, I had not made the purchase. Macy’s caught it, American Express refused the charge, and I have to presume that the New Yorker who wanted new chairs, sofa and accessories has had to do with the old stuff — unless they hacked someone else’s computer. During that process, I discovered that my home computer had been hacked and that was probably the way my credit card number was stolen. A couple of thousand dollars later for upgraded malware detection and anti-virus protections on my personal computer and iPad, I feel relatively secure but check the AmEx website every day to be sure that no one has used the card number except its rightful owner. Banks and other financial institutions spend a small fortune trying to ensure that their systems are safe — yet another cost of doing business that is passed along to customers.

The Internal Revenue Service reported dozens of examples of identity theft schemes that occurred during 2013[2] — here are just two:

  • On Sept. 30, 2013, in Los Angeles, Michael Williams of Palmdale, Calif., was sentenced to 33 months in prison and ordered to pay $787,086 in restitution. Mike Niko, of Los Angeles, was sentenced to 15 months in prison and ordered to pay $104,662 in restitution. According to court documents, from May 2009 through July 2010, Williams and Niko conspired with others to defraud the United States by using the personal identifying information of various individuals to file false tax returns claiming fraudulent tax refunds. A co-conspirator stole names and social security numbers from the California Department of Public Social Services’ computer system. The fraudulent returns claimed the First Time Home Buyer Credit and/or Earned Income Credit. Purporting to be tax preparers, Williams and Niko established bank accounts for the purpose of receiving the refunds claimed on the false tax returns.
  • On Sept. 3, 2013, in Montgomery, Ala., Angelique Djonret was sentenced to 24 months in prison for her involvement in a million dollar identity theft tax fraud scheme. Djonret pleaded guilty on April 19, 2013, to identity theft. According to court documents, between October 2009 and April 2012, Angelique Djonret’s sister, Antoinette Djonret, orchestrated a tax refund scheme using stolen identities to file over 1,000 false tax returns that fraudulently claimed over $1.7 million in tax refunds. Antoinette Djonret obtained stolen identities from multiple sources, including Alabama state databases. She also established an elaborate network for laundering the refund money. Antoinette Djonret recruited her sister, Angelique, into the conspiracy, whose role was to obtain prepaid debit cards in her name and others’ names for purposes of receiving the fraudulent tax refunds. Angelique Djonret also assisted in the filing of false tax returns using stolen identities. Antoinette Djonret was in February 2013 sentenced to 12 years in prison.

In mid-December, Target learned that criminals had forced their way into the retailer’s system, gaining access to credit and debit card information. Customer names, mailing addresses, e-mail addresses and telephone numbers were left vulnerable. Up to 70 million customers could have been affected by the theft before it was discovered and the access point plugged on Dec. 15, 2013. The company said that the breach occurred between Nov. 27 and Dec. 15, 2013 — at the height of Christmas shopping season.

As identity thieves become more sophisticated — less rummaging through our trash for non-shredded personal papers and more computer and PDA hacking — predictions are that future efforts for preventing identity theft will probably come through technological advancements that incorporate some physical aspect of a person’s body in order to verify identity. Known as biometrics, this type of authentication uses unique physical characteristics such as fingerprints, iris/retina scans, facial structure, speech, facial thermograms, hand geometry and written signatures. As much like science fiction as that sounds and as much as it begins to creep into our Constitutional rights of personal privacy, the justice system will no doubt ponder and debate the delicate balance between protecting our privacy and protecting our identities by using personally identifying features. Our law firm already uses fingerprint scanners for access to sensitive areas of our offices.

As I sit in my office surrounded by my photos of Jesse James, Bonnie and Clyde and Willie Sutton, I have to wonder what they would make of all this high-tech crime, but I also know that if I had only stuck to my manual Underwood typewriter, I wouldn’t have to worry about the FBI’s 10 most wanted cyber criminals worming their way into my privacy and bank account. All you needed to do back then was shred the ribbon!

Notes

  1. The Red Flags Rule was issued in 2007 under Section 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681m(e). The Red Flags Rule is published at 16 C.F.R. 681.1. See also 72 Fed. Reg. at 63,771 (Nov. 9, 2007). You can find the full text at http:// www.ftc.gov/os/fedreg/2007/november/ 071109redflags.pdf. The preamble B pages 63,718-63,733 — discusses the purpose, intent and scope of coverage of the rule. The text of the FTC rule is at pages 63,771-63,774. The Rule includes Guidelines B Appendix A, pages 63,773-63,774 — intended to help businesses develop and maintain a compliance program. The Supplement to the Guidelines — page 63,774 — provides a list of examples of red flags for businesses and organizations to consider incorporating into their program. This guide does not address companies’ obligations under the Address Discrepancy or the Card Issuer Rule, also contained in the Federal Register with the Red Flags Rule.

    The Rule was amended in 2010 by the Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457 (Dec. 18, 2010).
  2. Internal Revenue Service, www.irs.gov/uac/examples-of-identity-theft-schemes-fiscal-year-2013.

Katie Edge

KATHRYN REED EDGE is a member in the Nashville office of Butler Snow LLP with offices in Tennessee, Mississippi, Alabama, Pennsylvania, Georgia, Louisiana, New York and London, England. She is a member of the firm’s Government and Regulatory Practice group and concentrates her practice in representing regulated financial services companies. She is a past president of the Tennessee Bar Association and a former member of the editorial board for the Tennessee Bar Journal.