Monday, August 8, 2011

Cybercrime Pays!

[Disclaimer: This has nothing at all to do with photography.  But it's certainly relevant to anyone who conducts business online. -GF]

Once upon a time I was a regular speaker for high school career day.  Back then, I was a NASA guy and I was able to establish instant credibility by talking about my job and showing them the device I made that got me into the Guinness Book of World Records (a big deal when you’re in high school).  After the introductions, I would start out telling everyone to make a paper airplane, but not to test it.

“So now you’re in charge of the Federal Aviation Administration and your job is to certify that the plane is safe to fly”.  This caused cognitive dissonance in my audience, since I specifically instructed them not to test their airplanes.  “How can we certify that they’re flightworthy if we can’t even test them?”

That’s when I would start my spiel about how Math and Physics can help you predict the future.  You could know, for example, how long it would take for an object dropped from a very tall building to hit the ground before you actually did it.  You could know if the people in a roller coaster would stay in their seats when it went through a loop, all before you went to the great expense of building it.   And yes, you could know if an airplane was going to fly before you went to great lengths to build it.  Math and Physics let you predict the future!

Then I’d go into all sorts of other details, and still manage to keep everyone engaged in what is otherwise perceived as a boring subject.  I’d invariably win “Best Career Day Speaker” at the end of the school year.

But that was then.  If I were called upon to give a career day speech again, I wouldn’t push engineering.  Nor would I push photography as a career (yeah, like I want to make more competition for myself :-) ).  What would I tell them to become?  Cyber Criminals.

Yes, you read that right.  My aspirational advice started changing about a year ago, when someone hacked into my online shopping cart (where all of my e-books are sold) and had all the paypal payments redirected to the hacker’s account.  I noticed the alteration and instantly restored all the old values and changed my password within a few days, thinking the damage was minimized, but my problems didn’t end there.  It turns out that the hacking party was quite clever, and planted other scripts in other directories which would periodically wake up and reroute the paypal ‘remit to’ address back to the crook’s address.  Fortunately I had employed a small and responsive company for my shopping cart needs ( – highly recommended!) and one of their employees did a thorough server search, eliminated all the rogue programs, and wrote a software patch to prevent that kind of exploitation from happening again. 

By the time the problem was fixed, a goodly deal of ebook payments were siphoned off to the offending party’s paypal account.  I didn’t think it would be a problem recovering my money – after all, I had the recipient’s paypal address, and paypal knew the name, address, and bank info of the person whose email address kept being substituted for my own.  All I would have to do is complain, print out the evidence, and all should be well again.  An open and shut case.

Here’s where my eyes got just a little wider.  Paypal was incredibly unhelpful (somewhere between being insular and non-responsive).  They told me I had to file a police report first to somehow lend credibility to my complaint.  (That was another great experience – like the local police understand the internet, hacking a server, or how Paypal works).  Once done I contacted Paypal who took the basic information, didn't provide a case ID and said "an investigation would be started, but it's not our policy to provide restitution in the case of 3rd party shopping cart break-ins".  Those of you who are familiar with Paypal's reputation already know that nothing happened after that.

Long story short – A friend put me in contact with paypal employee who cared a little, and was able to get about 30% of the diverted funds restored to my account.  But they would not reveal the name of the person who was receiving my payments, preventing me from pressing charges.

“Why didn’t you hire a lawyer and press charges, or report the incident to the FBI?”, I hear you ask.  Let’s start with the FBI question first.  Cybercrime is so prevalent that the FBI has a “Report a Cybercrime” (technically called an IC3 internet crime report) link right on their home page.  I dutifully filled it out and watched as nothing at all happened.  

Later I learned that unless my loss was about $1 million or more, nothing was going to happen.  My lawyer friend explains: “You have no input as to whether or not the authorities prosecute someone.  My friend the doctor had a similar problem when he had an employee steal over $100,000.00 from him.  The authorities work at their own pace. unfortunately, they don't really go after people who steal small amounts.  Unless they can find that this person has done this with others and there is a significant amount at issue, they won't be terribly interested.”

Depending on who you talk to, cybercrime costs global businesses anywhere between USD $500 million to 1 trillion dollars.  Try as I might, I was unable to find any statistics that show what percentage of these criminals have been successfully prosecuted.  Based on my experience (one data point!) I can safely extrapolate the answer to be "not many".  The plain and simple truth is that if you engage in any sort of online theft, and keep the damages per victim under $100,000 dollars or so, there’s a near-zero chance that any negative consequences will transpire.  Earning money this way is WAY easier than earning an engineering degree!!  And you needn’t develop any deep sophistication to be successful at it either, since there are now readily-available pre-packaged hacking tools that make things so easy that even a bored teenager can do it.

Okay, so law enforcement will be of no help.  Can’t I sue the person who received the funds?  The answer is yes - I can file what's called a "John Doe" lawsuit, where the actual person you're suing is unknown but you can then subpoena documents from Paypal.  BUT the amount I lost (thankfully!) was such that my case would come under the jurisdiction of small claims court.  In SCC you MUST have a named defendant.  Dead end.

So how can I, in good faith, possibly tell today’s youth to work hard and make America great again when it’s oh-so-much easier to execute low-level cyber crimes that have no meaningful deterrent?

The hacking on my website continued - last August it became part of a botnet which attacked a server in New Hampshire, attempting to shut it down unless a ransom was paid.  That took some time to clean out also.  (Kudos to my - my webhost which managed the damage while I was travelling.)  But you get the idea.  My web business is a liquor store in a bad neighborhood.

What’s a small online business to do?  Ultimately the only real protection one can have is either stay the hell off the internet or get yourself some business interruption insurance (which has its own horror stories, I’m sure).  In theory the insurance is much cheaper and easier than hiring a lawyer and trying to prosecute successfully. 

And so, kids, while it’s true that math and physics can help you predict the future, right now you’ll probably find the electronic frontier much more lucrative and involves a fraction of the effort.  I’ve even got a great attention-getting opening line for my next talk:  “What would you do if you knew that committing a crime would go completely unpunished?”

========================= Learn how to take "Wow!"-type images the NASA way!


  1. I shared this posting on Facebook, Twitter and my Google+ account. All I can say when I read it is "Wow". Unfortunately you're right at so many levels.. truly a sad state of affairs we're in today.

  2. Wow. Too true. I work in the tech field and remote attackers have been a subject of much discussion and many a late night strategy planning meeting and deployments to ensure that "they" don't get through.

    Here's the problem: Every system has a weakness. Since people don't have unlimited funds and depending on who/how you have your site hosted... your options get limited.

    On a shared webhosting system? It doesn't need to be your account that gets compromised to have your data/transactions impacted. Got your own server, but running code(php/perl/python/ruby/etc?), the app stack you're using probably has a weakness... or some new UI code update has a weakness...

    Rule of thumb in the IT field: if it gets hacked, you backup an image, re-install the system from scratch, and move on. Having good backups to restore from is important. As is revision control of any changes made to a system.

    It's a continual uphill battle. :(