For Money or Mayhem

{4} A Sheep in Wolf’s Clothing

Evergreen Financial Corp., or EFC, was one of a number of independent credit card issuers that had sprung up about twenty-five or thirty years ago. It had never made it as big as its chief rival, because it adamantly refused to align itself with any mainline bank. Instead, it issued credit cards under private labels for various associations, unions, and even churches. It looked like a prime take-over candidate to me, but miraculously it had staved off attempts by big banks during the great consolidation wave. It kept to its niche market, offered good services, and was semi-privately held. Though technically a publicly traded company, the vast majority of its stock was held by a small number of large investors who seemed of like mind when it came to maintaining their independence.

To those in the right circles, it was also held to be a fortress regarding personal information and computer security. The very thought that the company had become vulnerable to cyber-attack grated on the nerves of management and IT. Lars suspected the company’s unusually proactive movement had other motivations as well. Financial organizations are not required to report incursions into their systems unless customer data has been compromised. Most do what they can to cut off the threat and silently swallow the losses rather than have them made public. The fact that EFC was calling in a consultant meant they thought the threat might be internal.


Monday morning, I was up and dressed by eight, having taken care not to cut myself with my new razor. It was going to be difficult to maintain the little strip of whiskers on my upper lip. Shaving close to it without cutting it off would be a daily challenge.

At half past nine, I was sitting in the plush twenty-third floor offices of Evergreen Financial Corp. on 3rd Avenue in Seattle. I’d checked in with the receptionist, a woman about my age with an extraordinarily pleasant voice. She asked me to have a seat and I heard her call to say I was in the lobby. Her tone in dealing with the person on the other end of the line was one that would calm a tornado. I heard her answer another line in the same calm, reassuring tone.

“Evergreen Financial. I’m sorry, Mr. Drake is out of the office until two o’clock today. May I take a message?”

Take a message? No connecting to voicemail? If I ever have a business that involves a lot of incoming phone calls, I want her answering them. Well, that day was so far away I couldn’t even see it on the horizon.

A woman came through the security doors on the left and stopped to speak to the receptionist. They conversed in low tones for a minute before she approached me. She wore a dark suit and white blouse with one of those long collars that tie into a bow at the neck. Her skirt was cut scarcely above her knee and the one-inch heels she wore clearly stated that she was here on business. I silently thanked Cali for my new suit and stylish tie as I stood to greet her.

“Mr. Hamar? I’m Darlene Alexander, Mr. Dennis’s admin.” Well, that answered my first question. She wasn’t the executive I was interviewing with. “His meeting is taking a few minutes longer than expected and he asked that I get you situated in his conference room. Would you come with me, please?” I acknowledged her greeting and agreed to follow—almost before she turned and marched back to the security door. She waved her badge at a black box on the frame and the door clicked to allow us through. On the way to the conference room we passed a small kitchen and she asked if I would like a cup of coffee. I stopped myself from automatically saying yes. I asked if I might have a glass of water instead and she quickly showed me the cooler and glasses. I filled a glass and continued to follow her to a room next to the corner office with a round table and four chairs. I selected the chair that faced the door and after I sat down the admin departed. It was a great view, out across the Sound. I turned away from it and faced the door, relaxing in my chair.

The executive who was going to walk through that door any minute now was the crook. I’d decided that even before being told exactly what the job was. As far as I was concerned, the guy was guilty just because he was a vice president. That’s my version of “the butler did it.” I supposed I’d have to investigate everybody in the company in order to prove it.

I didn’t have long to stew about it. The door opened and a slightly balding man a little shorter than me strode through the door with purpose. He closed the door and then turned to me.

“Hamar? I’m Arnold Dennis. Don’t get up.” I’d begun to rise when he entered the room, but settled back. This was not a man who beat around the bush. I needed to hang on for the ride. “Good references. Let’s talk about Henderson.”

“Okay.” That wasn’t what I expected. Why would he be interested in my former employer?

“It’s one thing to identify that a fraud is taking place. How did you pinpoint who was moving the money?”

“I see,” I said. “Officially, I held the encryption key to the back-up data at Henderson. When the police took the disks, I decrypted them. The evidence was there.”

“Data isn’t knowledge. What led you to believe it was the C-levels who were doing the work?”

“There are confidentialities involved.”

“You don’t want me to know the how.”

I looked at the guy. This was not the interview I was prepared for. I didn’t really want to go into my techniques for nailing the CEO. Evidence appeared. It was turned over to the police.

“I use a combination of techniques that fit the parameters of the job I’m assigned. If one technique fails to produce results, there are others that I can fall back on. The real question is what you want me to find and what you don’t want me to find,” I said. I kept my voice even and pitched low. Arnie Dennis was leaning forward to hear me better. He was buying and I was selling. He didn’t strike me as a man that many people stood up to. He paused as he considered me and I looked him in the eye.

He smiled.

“Good. Here’s the situation. Our losses due to fraud are increasing. Every credit card company assumes some risk of fraudulent card usage. We expect it and plan for it. Most fraud losses would cost us more to prosecute than the loss itself. Frankly, you can’t even call it fraud most of the time. Usually it’s a spur of the moment decision by someone who is desperate and sees what they think is an opportunity. Could be as simple as finding a credit card and charging a shopping spree to it. Sometimes we still get the captured number and signature used by an unauthorized person. Occasionally it’s something more serious like a raid on a series of card numbers for charging porn. The Internet makes it more difficult to track some of those uses, but we are vigilant about protecting the customer and where we can make an impact we prosecute the offender.”

It was what I expected. Both State and Federal Laws are specific about the responsibility of financial institutions to protect their customers from fraud. But they weren’t required to press charges. Business crimes occur every day and wasting their money on small cases isn’t profitable for an institution’s shareholders. But losses are something every manager at every level is responsible for—whether they are in banking, designing software, or selling shoes. If losses were increasing, however moderately, it was going to raise red flags.

“A basis point is one-hundredth of a percent of the company profit. It is a tough market out there and a downward shift of a single basis point could mean millions of dollars in losses. I’ve been given the authority to investigate and remedy the situation.”

“Why, if I may ask, does that fall to the Chief Technology Officer and not to the Chief Financial Officer?” I asked.

“Good question, with two answers. First, we believe our losses are specifically tied to incursion into our systems. It’s my job to plug that kind of leak. Secondly, technology is now fundamental to every job in our company. Every single employee has a computer and is tied into our network. Our employees and our network are our greatest vulnerability. Finance will be watching my every move on this, but Tech has the ball.”

“Don’t you have inside people who can trace network use?” I asked.

“Yes. But anyone inside the company could be a suspect. And that pisses me off. It pisses me off that I’m a suspect. You are here to get into the network and sniff out the vulnerabilities,” he said. Apparently, I’d been hired. “I’ll call you my Technical Assistant. That will give you unfettered access to everything on the network. Everything. You will have read access for every single computer and server on the network. I want to know whose pocket every missing penny lands in.”

I’m licensed and bonded, but it was sounding like I was just being given the keys to the kingdom. What company was going to give an outsider complete access to their financial documents, strategies, marketing, and technology? Not only that, but this company had an entire division that handled fraud. Those folks certainly wouldn’t be happy about having an outsider looking over their shoulders. There had to be a catch somewhere. Arnold’s smile was back on his face. He looked like he’d just caught me with my fingers in the till.

“You’ll be watched,” he said simply. “I’m not about to launch anything like this without safeguards that I have personally put in place. I will know where you go and every file you touch. I can’t do the investigation myself, but I can be damn sure that you will be monitored. And challenged.” I nodded. That made sense. I’d spend the next few hours pondering exactly how they were going to watch me. Then I’d figure out how to get around it. I don’t like being watched.

“If you are ready to go to work, I’ll have Darlene get you down to HR. She’ll introduce you to my Director of Network Security, Don Abrams. He’ll get you a computer and logon. You’re going to be an employee—full benefits and the works. Of course, I’ll pay your agency a fee as well, but no one in the company is to know that you are an outside consultant or the precise nature of your job. As far as anyone else is concerned, you are doing specific technical investigations on my behalf regarding the impact of new technology on the financial world. There’s a cross-departmental team that does that and you’ll become a member. I hope you can hold your own in a conversation about the Fed’s new policies on electronic record maintenance. Darlene has the position number and employee job req.”

He stood to leave but turned to look at me once again.

“Zack Henderson was a personal friend of mine.”

Damn! Zack was my former boss’s father and the founder of Henderson Associates. And my new boss was his friend? Zack committed suicide two months after his son was arrested.

“It wasn’t what you did that killed him. It was what you found. If you find that one of my partners in this company is raiding the bank, it’ll kill me, too,” he said. Did I believe him? “I’ve been here twenty-three years and I expect to be here another ten before I retire. Just remember this company is twenty times the size of Henderson. It’ll take twenty times the work.”

All right. Maybe I was too quick to condemn corporate executives.

Maybe.


It was two o’clock by the time I was actually seated at a desk and staring at a computer. The morning had been filled with paperwork and briefings by Human Resources. I had forms for filling out 401k deductions, health insurance, and membership in the Puget Sound Health Club. I’d received my security badge/keycard, and as soon as I arrived back at Darlene’s desk she made a quick tour of the office and gathered together the other members of Arnold’s ‘team’ to head out for lunch. Wild Ginger has great food, but it’s never a quick lunch, especially when trying to meet and memorize the faces of half a dozen new people.

I paid close attention. These were the insiders and as such, prime suspects. I’d met Don Abrams earlier in the day and he assured me there would be a computer waiting on my desk as soon as I finished with HR. He was Director of Network Security and Arnold’s go-to man. Allen Yarborough sat across from me at lunch and asked an endless stream of questions that probed my knowledge of system administration. That figured since he was the Systems Admin Manager. It turned out that he was the one directly responsible for issuing my laptop and having me registered on the network. Within a few minutes, I realized I was being interviewed by Arnie’s staff, which hadn’t been given the usual opportunity before I was hired. They were testing my mettle. When Allen finished hammering me about systems admin, Phil Jackson, Manager of Fraud Detection, took over. His questions focused on my knowledge of attacks that were specific to credit fraud. As it turned out, my work on the Henderson case came in handy. Part of what brought the company down was the default on a sizable loan they’d received from a private lending company. If the loan had been through a mainline bank, there would have been a long waiting period while the wheels of justice spun up. Since the lending company was privately held, the default action went from zero to sixty in ten seconds. It didn’t give the execs enough time to hide their tracks before the police were called in.

Ford McCall took over the questioning at that point. Ford was a low-level employee compared to the managers at the table. I was still curious as to how this so-called team was put together. They didn’t seem to have a common manager below Arnold himself. They were at a number of different hierarchical levels. Ford was a researcher. His level of interpersonal skills had probably kept him from being on a management track, but it turned out that he knew something about just about every development in technology that had taken place in the past twenty years. His questions were random, sometimes asking about the credit industry and sometimes about programming in C#. He asked questions about the breakability of different operating systems and went so far as to ask me point-blank if I’d ever hacked a UNIX system. I was going to be watching this guy like a hawk.

That left the two women at the table, the admin, Darlene Alexander, and Jen Roberts. Jen didn’t give her title when she introduced herself and no one seemed inclined to fill in the blank. She asked if I was familiar with matrix management techniques. Things started to click. Most companies have a purely hierarchical structure. If you are an engineer, you work for an engineering manager who works for an engineering director who works for an engineering vice president. You know exactly how many levels separate you from the president of the company. In matrix systems, there may be a hierarchical structure on the boards, but teams are organized according to projects and the individuals on the team might be from several different departments. It turned out that Evergreen Financial Corp. was a hybrid system, but that most of the high level work was done by matrix teams who reported to a team manager and had little to do with the hierarchical structure. In fact, some team members had titles of “Director” but had no direct reports. It was far more typical of the financial industry in which directors and vice presidents were given their titles to show status and not line management. A vice president had higher decision-making authority than a director. Jen Roberts—title unknown—was our team lead.

And that brought me back to Darlene. The rest of the team jumped up from the table before the check arrived, scurrying off to various meetings, appointments, and tasks. Darlene motioned for me to stay while she took care of the check with a Platinum card.

“So, what do you think of your team, Mr. Hamar?” she asked as we left the restaurant.

“Do you prefer to be called Ms. Alexander?” I asked.

“Oh, no. Darlene is just fine.”

“Then please call me Dag.”

“Okay, Dag. But the question still stands.”

“My team. Exactly what is my role on this team? It’s not something that Arnold mentioned to me,” I said. In fact, I was beginning to wonder how I was going to carry out a covert mission in this company if I was going to be assigned a bunch of random investigations on the part of the team. I’d imagined that I would work in relative isolation—like I prefer.

“Your team is a SWAT team. It’s cross-functional and is responsible for identifying and neutralizing threats before they occur. You have a long-term project assigned by Arnie Dennis. The results of your research will be delivered to your teammates in regular weekly reports. You’ll show progress for however long it takes to accomplish the real task that he’s assigned you.” She paused and looked at me expectantly, but I decided to do no more than nod. I didn’t know yet how much she actually knew about my mission. Arnold had led me to believe that no one knew the real reason I was brought on, and certainly the lunch conversations seemed to confirm that. Seeing that I wasn’t going to provide any input at this stage, Darlene sighed.

“Well, I should have expected that,” she said. “I won’t press you for details. I’ve had stranger job requests. Here’s how it’s going to work. My job is to make sure that there is nothing standing in the way of Mr. Dennis doing his job. That means that it is also making sure there is nothing impeding your progress. I know only that your real job has nothing to do with the position on the team that you’ve been introduced to. Every morning I’ll give you a brief email synopsis of what your ‘research’ is revealing. That way if you encounter any of your teammates, you’ll have something to say when they ask you questions. Each Thursday night I’ll provide you with a short paper discussing the progress. You’ll study it that night and be able to talk intelligently about it during your Friday morning team meeting and one-on-one with Jen. Your project is Internet Protocol Security, which I take it you are reasonably well-versed in anyway, so you should be able to fill in at least a few of the blanks. Just watch out for Ford. Somehow that guy knows everything that has ever been published on every subject. I think his brain is wired to the Internet.”

“So what you are saying is that you are going to be doing my official job while I’m doing my real job?” I asked. She nodded. “Isn’t that a little beyond what an admin would normally be, uh…”

“Qualified to do?” she asked, raising an eyebrow. I hadn’t wanted to go there, but yeah. How exposed was I going to be if an office administrator was supplying all the research that I was supposed to be doing because of my high level of expertise?

“I’ve worked with Arnie for years. We were hired at the same level. Only one could rise and I hitched my wagon to his star. I left my position as programming developer to become his administrator as soon as he reached a level that allowed him to have one. We’ve been talking about hiring a technical assistant for the past three months. No matter what it might look like on the outside, the job you are filling had to be defined, vetted, a position number assigned through HR, a job description agreed upon by the executives, and budget approved for hiring. Everyone knew he had someone in mind for the position before he announced plans to hire.”

That was news to me. I’d only known about this for three days. Arnold Dennis was rising on my list of suspects again. If he was devious enough to plan three months ahead of time, then he would have had plenty of time to hide his tracks, or even point evidence at someone else in the company.

“During that time, he also directed me to research the latest in Internet Security Protocols and I have an unending list of resources and papers. I’m familiar with all the data and I’ll be cross-checking it against any new developments over the past three months, but all the heavy lifting has already been done.” Darlene paused and we walked the rest of the block in silence. Before we entered the building, though, she stopped me.

“Something has been bugging Arnie for the past six—maybe eight—months,” she said. It was the first time I’d heard her use his first name. She looked at me with an intensity that I found unsettling. “Whatever you are here to do, it’s supposed to put his mind at ease. I will do everything in my power to make you successful at that. Don’t you dare let him—or me—down.”


Twice today, I’d been admonished to not let someone down—the second time with a passion that I thought of as intimate. I’d seldom seen such intense devotion to an employer and I wondered if there was more to their relationship than met the eye. It would bear investigation. But more, I’d realized that people here liked to meddle in other people’s business. Every person I’d met today could potentially be the person “keeping an eye on me,” and most of them had the ability to use techniques that would be hard to spot. Whatever I did, someone would be watching me, just as I was watching them.

Darlene showed me to my desk. I had a small but comfortable window office just down the hall from Darlene and Arnold. That made sense, I supposed. I was his direct report, even if my team functioned in a matrix. What really surprised me was that my name and title were already on a placard on the door. On the desk was a large laptop computer docked to an even larger flat-screen monitor. A sheet of instructions for initial registration on the network was next to the computer. The rest of the room was sparsely furnished. One desk. One desk chair. One guest chair. One credenza. One lamp. The view out my window was not of the Sound, though if I looked as far left as I could out the window, I could get a glimpse between the buildings. Directly out the window, across the street, was another tall office building and I could faintly see movement behind some of the windows.

It wasn’t an executive desk. Like most tech companies, EFC issued the same basic furnishings for every office and every cubicle. It was a flat surface with metal legs and a wrench that would adjust the height by cranking a bolt in a hole on the top. The desk faced the window so my back would be to the door when I sat at it. That was the first thing that would change. I swung the desk around perpendicular to the window with my back to the wall. The window was on my right and the door on my left. I could see both. I pushed the credenza against the other wall and pulled the guest chair around to the end of my desk so visitors would sit beside me with their back to the door.

In the process of moving the furniture, I surreptitiously checked under the surface of the desk for any listening devices or electronics that might go unnoticed. That’s a nice thing about this kind of furniture—there’s really no place to hide anything unless they hollowed out the desktop and inserted something or it was hidden in a leg. I tapped on the solid surface just to make sure.

Satisfied that the furniture was secure, I turned to the computer itself. I suppose I was being paranoid, but after my lunch and briefing with Darlene, I was inclined to distrust everyone. I turned the device over and examined it closely, from the RFID asset tag on the back to the stickiness of the keys. Without actually starting the computer, I opened it and began typing on the keyboard, testing the touch of the keys to see if the keyboard had been tampered with. When I turned the computer on, I made sure no fields were selected before entering my alias and a fake password. After a moment, I typed Darlene’s alias and a brief note: “Thank you for lunch today and for introducing me to the rest of the team. I’ve got my team meeting and one-on-one with Jen on my calendar. Could you set up a weekly one-on-one with Arnold for me? I’ll keep my schedule clear, but will not be in the office on Wednesdays. Please let me know what would be convenient.” I figured that would be an adequate amount to be picked up if there was a sensing device attached to the keyboard of my computer. I shut the computer down and popped the battery out of the computer to examined it and the channel it fit in. I carry a toolkit in my briefcase, so I grabbed a screwdriver and opened the memory slot. The computer was well-equipped with RAM, but that’s where I found the bug.

It was tiny. Whoever had planted it knew a lot about electronics and cutting edge tech. I suspected this baby might even be black market. The device was just below the keyboard and could record and transmit every keystroke.

It confirmed my suspicion that someone was watching me electronically. All that someone needed was a computer set up to receive my keystrokes and they would be able to see on screen everything I typed.

By the time I’d finished my physical examination of my office and computer, it was nearly five. I suspected that this group would be looser about the hours they kept, but we were in the financial industry and experience told me that most of the office would close up and go home before six at the latest. Someplace in the building, people would just be arriving who were in synch with the Japanese markets. I was pretty sure a contingent was leaving about the time we got back from lunch, indicating a shift that was synchronized with New York. And then there were the twenty-four-hour customer service and security teams. Tomorrow I’d do a floor-by-floor tour of the entire building. But I was about ready to call it quits for today.

“Dag? Excuse me, but I couldn’t help but notice you haven’t logged into the network yet. Is there a problem with your computer?” Allen Yarborough was poking his head through my doorway. Couldn’t help but notice? Right! As Systems Admin Manager, he would know who had logged into the network if he was watching. That he’d been watching for me to log in gave me the creeps.

“No problem, Allen. HR just gave me a ton of paper to go over after orientation this morning. You know, benefit elections, policies and procedures, all that. I just never got around to logging in.”

“Well, it’s almost quitting time for today. Let’s get you logged in so I know everything works and go have a beer.” I’ll bet he wanted to know everything works. Okay, I can play this game. I powered up the computer again and it came immediately to the log-in screen. “It goes more quickly if you use your smartcard the first time you log in. You’ve already set a password when you got your ID,” Allen said helpfully. I slotted my ID card into the reader on the computer. It identified my user name and I typed in the password. The screen went directly to the official EFC desktop and I was on the network. I smiled at Allen.

“Looks like everything works.”

“Great. The first time you open email, it will install and record your settings. Takes about five minutes to get the test message sent through. By this time, you probably already have a day’s worth of email backlog, so you’ll have your work cut out for you tomorrow. Now let’s go get that beer.”

“Oh. Hey, sorry about that. I can’t make it tonight. I’ve got an appointment at six to… uh… see a dog I’m thinking of adopting. Let’s make it another evening. Anytime but Wednesday or Friday.”

“No problem! I’ll see if there’s some other guys I can introduce you to. Maybe Thursday. What kind of dog?”

“A, uh… greyhound. Rescue, you know?”

“Oh yeah. I’ve heard about that. Let me know how it goes.” He left, looking for all the world like he was just a helpful teammate. Hmm. New candidate at the top of my list.

As soon as he was out of sight, I changed my password. There are easy passwords to remember that are almost impossible for a computer to guess. I called up a virtual keyboard on screen and used the mouse to click on each character. My physical keyboard was bugged, but it was a lot harder to track mouse clicks.

When I was satisfied that I had thwarted any attempts to capture my log-in information, I sat back in my chair to contemplate my first day at work. I had a whole list of suspects, and I had a feeling Arnold had put this team together specifically for me to watch. It probably included his entire list of suspects plus whoever was assigned to keep an eye on me. I decided to leave the keyboard bug in place in the computer and to bring a detachable keyboard into the office with me tomorrow. I’d just let my spy stare at a blank screen for a day and see if anyone poked his head in to find out what was wrong. While I was contemplating this, my screen went dark and then switched to screen-saver mode. Didn’t take long—less than five minutes. One of the company policies that had been driven into my head during orientation this morning was the importance of not leaving your desk with an active screen. The screen saver, however, surprised me.

In place of my desktop, I saw a video feed. Of me. Sitting at my desk. Right now. I didn’t immediately swivel around. I could see the direction of where the camera was located as it was shooting straight through the glass door and sidelight of my office. What I was looking at was a live feed from a security camera in the hallway just outside. After about twenty seconds, the camera panned to the right thirty degrees and held that position. Then right another thirty degrees so I was looking across the cubicles across the hall.

If I had left my desk in the position it was in when I arrived, whoever monitored that camera could have seen everything that appeared on my screen. Someone was serious about watching.

But why show me the video?

 
 

Comments

Please feel free to send comments to the author at nathan@nathaneverett.com.

 
Become a Nathan Everett patron!