JIM LEHRER: Now the final story in our cyber-security series. NewsHour correspondent Spencer Michels reports on the problem of online crime.
SPENCER MICHELS: If you could play an ATM like a slot machine, this would be hitting the jackpot.
At the recent Black Hat Cybersecurity Convention in Las Vegas, computer expert Barnaby Jack showed how to do it. His demo was so controversial, that it was delayed a year so the manufacturers could come up with a fix.
But plenty of other security loopholes remain.
BARNABY JACK, IOActive Labs: I didn’t give away the cookbook recipe to allow anyone to suddenly go and break into these machines, but I think the reason I showed this is I want to raise awareness of these issues. The flaws are actually in the code that the manufactures come up with.
SPENCER MICHELS: The problem of cyber-crime is not limited to ATM machines. Last year, the FBI reported more than half a billion dollars was lost to Internet thievery. Other estimates are much higher, but it’s hard to measure because banks are reluctant to acknowledge their losses.
TERRY AUSTIN, guardian analytics: You know, this is a touchy topic, because a lot of banks don’t really want to talk about the fact that they have this vulnerability.
SPENCER MICHELS: Terry Austin, CEO of Guardian Analytics, a company that designs software to protect banks from cyber-crime, says that his banking clients privately tell him that the threat of being hacked is getting worse.
TERRY AUSTIN: As we get into the security departments and talk with the executives at banks, they begin to acknowledge how serious a problem it is.
SPENCER MICHELS: That’s partly because more and more people do their banking online — almost a third — and it’s partly because the crooks are getting more sophisticated and more organized into crime syndicates.
Joe Menn, who writes for “The Financial Times,” talked to a group of bankers about the problem.
JOE MENN, “The Financial Times”: The banking industry, as I said, has gotten itself in a bit of trouble by telling everybody how safe on line banking is. So maybe that was true a while back. It is not true today.
SPENCER MICHELS: The American Bankers Association acknowledges it encourages online banking because customers can check their own accounts online to discover fraud. But finding fraud quickly is not easy. Cyber-criminals often use malicious software designed to infiltrate a computer system without the owner’s consent and steal from customers’ bank and credit card accounts without their knowledge.
JOE MENN: Half of all credit card numbers are in the hands of organized criminals, according to the Justice Department. Half of all computers have some form of malware on them. It’s the worst stuff that steals your financial passwords and the like.
SPENCER MICHELS: Hacking into someone else’s computer is relatively easy for experts. At McAfee Security Systems, Candace Worley and technician Bruce Snell showed us how a hacker can install malware on a computer without the owner even knowing about it.
BRUCE SNELL, McAfee Security: We’ll just attach it to an email and we’ll send it over to Candace, and it will come from, you know, somebody that she recognizes as a friend of hers.
CANDACE WORLEY, McAfree Security: I’m going to drag the attachment in the e-mail to my desktop. It’s going to open that screensaver because I’m thinking I’m getting a cool new screensaver I can install on my laptop.
SPENCER MICHELS: And now all of her keystrokes can be seen by the criminal.
BRUCE SNELL: I can pretty much do whatever I do at this point. I can see what’s she’s typing on her screen. I can really take control of her computer.
SPENCER MICHELS: With that control, the crooks have access to passwords and bank account numbers.
Terry Austin says criminal gangs have developed a way to move the stolen money out of the country.
TERRY AUSTIN, Guardian Analytics: They’ll often set up a network of what we call mule accounts. These are people who have been hired to work from home to transfer money in and out of a bank account, and then it’s whisked offshore.
SPENCER MICHELS: In his book “Fatal System Error,” Menn says the organizers have become local heroes at home.
JOE MENN: The people in charge are definitely in Eastern Europe. They’re probably in the Ukraine. There is less societal disapproval for crime against people in other countries, particularly the West. And we use credit cards more, we have fatter bank accounts, we’re logical targets.
SPENCER MICHELS: The vulnerability of our financial information has national security implications, says Melissa Hathaway, who led a cyber-security review for President Obama.
MELISSA HATHAWAY, Hathaway Global Strategies: I think our economic security is our national security. And to the extent that anybody can make the e-commerce infrastructure unstable, that’s going to jeopardize really everybody’s economy.
SPENCER MICHELS: Stealing information via computer has become an international sport with a big payoff.
Chris Paget showed another way thieves get information and eventually money. He set up antennas on a 29th floor Las Vegas hotel balcony to demonstrate how credit cards and passports embedded with wireless transponders called RFID tags can be read by crooks.
CHRIS PAGET, security researcher: These things can be read at very long distances. People can be tracked, they can be identified. You can find out all kinds of information about them from these RFID tags that are being issued to you by the government, by stores, and products you buy all over the place.
SPENCER MICHELS: But hackers don’t just use computers to gain access to information, as was made clear in this contest at the DefCon Hackers Convention. Here, contestants like Shane MacDougall showed how they could get crucial information on cyber-security simply by phoning employees at large firms and convincing them to divulge company secrets.
MacDougall called a large automaker.
SHANE MACDOUGALL, security consultant: Is your computer currently running the corporate Symantec anti-virus, or is it running an alternate?
You know, pretending you are doing a survey, pretending you are internal audit, pretending you are external audit, it could be coming up dressed as a courier into the front desk, or, you know, you’re a sprinkler inspector. There are so many different ways you can pretext yourself into a company, but basically social engineering is lying.
SPENCER MICHELS: Do you think it works most of the time?
SHANE MACDOUGALL: It works all of the time. I mean, whenever you couldn’t get in past the firewall, or hack your way in, you could always social-engineer your way in.
SPENCER MICHELS: Defending against smooth talkers is a matter of training, which experts say is often lacking. Defending against cyber-crime, which is more technical, has become big business.
For years, computer owners have used anti-virus services like McAfee or Norton to protect against malware. McAfee’s Candace Worley said her firm processed 17 million pieces of malware last year, and the threat is changing.
CANDACE WORLEY: It’s a constant game of cat and mouse; right? So, we build a better mousetrap, the hackers basically create a better mouse. And so it’s a constant process of evolving our technologies to address the new types of attacks that they create. So about the time we believe we’ve caught up with everything they could do, they create something new.
SPENCER MICHELS: But some security experts question whether it’s possible to keep up with the bad guys, especially for individuals trying to protect their own computers.
Guardian Analytics CEO Terry Austin says computer bank robbery often takes place without banks even missing the money at first. Austin’s firm has designed a system to detect suspicious activity using changes to a customer’s usual patterns.
TERRY AUSTIN: We saw a fraud attempt, nearly a million-dollar wire transfer, where the fraudster broke into the account with stolen credentials. They set up some new payees, some people to receive funds, and then they tried to execute wire transfers to those new payees. Luckily, we saw it before they could get any money out.
SPENCER MICHELS: But fraud detection systems like that and more traditional virus protection services face a continuing battle. And for his part, writer Joe Menn thinks it’s a losing battle.
JOE MENN: If I had to bet, I would bet that it’s going to run wild and forever, and it’s going to destroy the Internet as we’ve come to think of it as a place that is safe to do business, safe to do financial transactions, safe to put your sensitive business materials in the cloud and access it remotely. It’s really, really bad.
SPENCER MICHELS: Others say that by talking about cyber-crime and figuring out what the criminals are up to and how they work, security may be possible.
The administration and the industry say they are working towards that goal.