For Money or Mayhem ©2015 2018 Nathan Everett, Elder Road Books, ISBN 978-1-939275-57-8
I’d taken apart the laptop I was issued at the office, used peripherals for entering data, wiped the hard drive, reinstalled everything, and stored all my data, including my email, on a removable drive. But I still wasn’t satisfied with the device. My personal laptop was faster, had more memory, and had all the software on it I couldn’t install on the company laptop. So the last thing I did before I got home Wednesday was buy a smartcard reader for my personal laptop and head to my cozy apartment to try using remote access from my personal computer. My laptop wouldn’t be recognized by the network, but my smartcard should let me through. Then, maybe I could explore the databanks of Evergreen Financial Corp. while others were asleep and unaware.
About ten Wednesday night my phone buzzed and I snapped it open.
“Hamar.”
“Nails,” came the response, followed by a suppressed giggle.
“Sorry. Hi Andi. I didn’t mean to sound snappish.”
“I must have caught you in Nowhere Land. Do you have a minute?”
“Sure. I was just working on a computer and didn’t pay attention to who was calling.”
“I thought I had a custom ring.”
“The phone’s on vibrate. But I’m happy to chat anyway. Any break from the demons of the corporate world is welcome.” I smiled and left my desk so I wouldn’t be tempted to keep looking at the screen while we talked. It’s a bad habit. I plopped down in my recliner and clicked the light on over my one painting—a man looking out across the sea. It was painted by a dear friend back in high school and always makes me feel peaceful.
“Cali has been going on nonstop about how cool it was of you to pick them up in the Mustang. Everyone they know is insanely jealous. She and Mel want to know if you would chauffeur them every day.”
“Well…”
“I’m kidding, Dag. But seriously, Cali has a big-time crush on that car. She’s actually talking about wanting to get a driver’s license. You know Mel has had hers for over a year, but Cali just wasn’t interested until now.”
“Tell her a driver’s license isn’t enough to get her into the driver’s seat of my baby.”
“I’m sure. But the girls want to pay you back and asked me to invite you to the movies Friday night.”
“What movie?”
“They’ve got tickets for us all to go see Once a Hero at Harvard Exit. It’s a new film with a PG rating. Please save me from being the lone adult with these two wild ones.”
“That sounds like fun. I can’t take four in my car, though. Mel was folded like a pretzel in the back seat this afternoon.”
“Not to worry. Mel’s parents approved the movie and suggested she drive her guests. They’re pretty conservative and even though Mel is seventeen, they still hold a tight rein on what she sees and with whom. I think they approved because I said I’d go with them.”
“From what I’ve seen, having Mel around would turn me into a very conservative parent as well,” I laughed. “What a wild child.”
“It might have worked the other way around,” Andi sighed. “I worry that all their rules have pushed her to act out in ways that aren’t always appropriate. At least it makes me look like the world’s coolest mom by comparison.”
“That you are. What time Friday?”
“The girls will pick us up from the faculty lounge at seven if you are going to be there.”
“Sounds good. I’ll see you Friday.” I could hear cheers in the background as apparently Cali had been close enough to get the gist of our conversation.
“Good night, Dag. I seem to have a happy girl on my hands.”
“Good night, Andi.”
I was a pretty happy guy, too. I was going to take three lovely women to the movies. Or be taken. What difference did it make? I sat for a few minutes just staring out at the ocean in the painting on my wall. Finally, I snapped out the light and settled back in front of my computer. The night was still young.
The most intriguing part of the EFC information highway was the fraud line. Computer gurus don’t analyze threats on the fraud hotline. It’s a place where consumers report problems with their accounts. I guessed that only one out of ten people who suspect a problem with their accounts actually report it. That would be comparable to the number of consumers who actually send in rebate coupons when they buy something at a store.
Half the time, credit card statements aren’t even examined unless there’s an expense report to be filed. An unfamiliar charge might be passed off as just another expense. A married person might assume something was charged by the spouse. There are those who call the phone number associated with the purchase. They could find that “according to the on-line agreement you signed, this renews automatically at the first of every month unless we are notified in writing of your intention to withdraw.” Or they might sit on hold with a message that customer service is helping another customer, playing over and over for hours. An especially tenacious customer might fight it out with the vendor, but still not report it to the credit card issuer.
But occasionally, a person will see something that is out of the ordinary and challenge it. Very rarely, it will be done in such a timely manner that the company can actually do something about it. “My electronic statement shows six charges for $29.95 late last night. I didn’t charge anything. What’s going on?” In that instance, the call gets bumped to the head of the queue. The database of vendors is searched. An off-shore porn company? Over a hundred cards charged for six items by that company just before midnight?
A calling force is organized to call all the affected cardholders to warn them that unauthorized charges have been made and their card information could be compromised. New cards are issued. Refunds are made, and the unit sent out to investigate the fraudulent vendor reports back that the company’s accounts have all been closed and the vendor has disappeared. Net loss absorbed by the credit card company of over $25,000 plus time. There is no one to prosecute. Perhaps the company’s fraud losses move from two basis points to two-point-one basis points. The fraud barely registers in the accounts as a bookkeeping error.
But someone out there just stole $25,000.
It was the fraud hotline that led me to the seamy underbelly of the EFC cyberworld.
Every possible thing on earth can be bought with a credit card—drugs, prostitutes, a kidney, a trip to the space station. As long as the vendor has established a merchant bank account, credit cards are good.
Having learned from the underworld bosses of prohibition, most of these operate as respectable businesses. Their accounting is meticulous. They pay sales and income taxes—though not necessarily on the actual goods being sold. There is no reason for the IRS to investigate. On paper, they are legitimate businesses.
In reality, the purchase of web design services by a wealthy businessman may have included a web template personally delivered by a prostitute. Of course, there could be additional charges, but said businessman is not going to complain that he didn’t get his prostitute with those deliveries. It wouldn’t be good for his image as a church-going husband and father of three.
Here in the darkest parts of the World Wide Web, there is really only one business—greed. Any way to move money, even virtual cash, from one pocket to another is accepted.
A line of angry men pounded on a locked door demanding a refund. The door stood alone in the middle of the street and from my angle it was obvious there was nothing behind it. The vendor had closed shop and erased all traces of it.
A woman pled for help at the door of a mission in return for the years she had been donating to it. The fat pseudo-priest reminding her that she had not subscribed to a long-term care package, but described what a wonderful future she would have if she signed over her remaining assets to them.
Despicable as these were, they weren’t what I was looking for. I followed winding streets looking for a back door into a corporate giant. It was easier to find than I ever anticipated.
A new shop was just being set up. It hid behind an old and respectable storefront, but once you entered, you walked directly into the scam operating behind it.
“We’ve noticed that you aren’t receiving our current information at your home address anymore,” the shopkeeper said as I entered the space. It looked pristine. The logos adorning the walls were the latest corporate color scheme, the furnishings boasted lots of flash and interactivity. It was exactly like entering the online corporate headquarters of EFC. “We’d like to make sure our information regarding your account beginning 7785 is current. Just fill out this simple form with the last twelve digits on your credit card, your expiration date, and CCV code from the back of the card. Then be sure to check which of the following items you do not want us to send to you. This is your opportunity to opt out of any of the offers on our list. Otherwise, we will renew the mailings to your home address along with our apologies for the inconvenience you’ve suffered by not having these valuable offers.”
This guy was good. He already knew the first four digits of my credit card. Wow. Must be legit, right? And I was going to start receiving all this junk mail if I didn’t opt out. I certainly didn’t want that. Of course, I couldn’t opt out if they didn’t have the correct account information. I wondered how many people had already responded to this generous offer in the few minutes it had been open.
I walked around a bit and checked the building permits for the shop. Finally, I managed to identify the employee who was responsible. He led me into a private office where he proceeded to snow me with purchase orders, design instructions, and answers to every question but one: “Who was he?” I left the shop and circled around it. In cyberspace there are multiple entrances and exits to everything. I looked around at the foundations and understood. It had been built inside an abandoned site. The entire infrastructure was in place, but the project had been curtailed months ago. The messages waiting in the delivery room, all had a single name written on them.
An EFC employee had commandeered an abandoned subdomain to run a scam on EFC customers.
I hesitated. Was I sure this wasn’t another false identity? There would be no going back. I felt a tremor and realized the shop was already being disassembled.
I pulled the trigger, sending alarms all through corporate security.
Thursday morning, I dragged myself out of bed, showered, shaved, and headed to the office in spite of feeling hung over. I’d not slept at all in the hour and a half I was in bed. I was anxious to get to the office and see if there were any results from my foray into the cyberguts of the company the night before. I grabbed coffee at the Analog on my way down the hill, caught a bus on Olive and jumped off at Third.
I was just in time.
Before I entered the building, police came out with a guy in a polo shirt and slacks, hands cuffed behind him. The officers pushed him into a waiting patrol car and then turned to address the tall, dark-haired man behind them. Don Abrams, Director of Network Security, was nodding and I could hear the tail end of his conversation as I approached.
“We will definitely press charges. We’ve already notified the FBI. We were lucky to catch it before there was a serious compromise of customer data.”
“We’ll take it from here,” the officer said. “But the server unit has to be secured in order to be used as evidence.”
“We’ve disconnected it from the network and it’s ready for impound,” Don said. He was so angry there was a flush about his face. The officer got in the car and Don turned back to the door, almost bumping into me.
“Hey!” I said. “What’s up?”
“That scumbag heisted an abandoned subdomain and spent the night lifting credit card information from customers by posing as a marketing opt-out site. We got an alert about four this morning and I’ve spent the last four hours tying down the site and corralling the bastard. I can’t believe it.”
“Somebody high up?”
“No. Just a damn web designer who stumbled on a vulnerability that we’d never closed.”
“A lot of publicity coming out about this?”
“Fortunately we were alerted almost as the guy started operating. We were able to stop the flow of data before it got offsite, so technically we don’t have to go public. But we’ll do whatever is necessary to put the bastard behind bars.” Don and I went up to the twenty-third floor in silence. “I’m sure I’ll hear about this from Arnie this morning, though. He’s been here since seven.”
“Wish I’d been here for all the fun.” Don looked at me a little strangely and then nodded as he turned down a different hallway.
“Later.”
Corporations the size of EFC have hundreds of websites, but usually only a few domains. Additional pages that are needed for promotions, products, departments, or other legitimate purposes are often subdomains. Subdomains do not have to be registered with any naming authority. A company might, for example have a site that is Promotion.CompanyName.com where “CompanyName.com” is the domain and “promotion” is the subdomain.
Until a few years ago, it was common practice for entrepreneurs to buy up domain names and hold them, especially if they could get the names of major corporations. Eventually the companies would want the domains that matched their company name both for convenience for the customer and to protect themselves from being spoofed. Now it’s illegal to camp on a domain name someone else might have a legitimate claim to, but there are other methods of making consumers believe they are viewing legitimate sites that are scams.
More insidious with the rise of social media sites were subdomains that looked like the company. For example, “We’re giving away a $200 shopping spree to the first ten visitors. Register at CompanyName.freeoffers.com.” If the information was reversed and it was freeoffers.CompanyName.com, the request would come to the corporate domain. But this one had no connection to the company at all. People fell for it every day and the fraud detection group had scans going all the time to locate subdomains on other websites that looked like their company.
Buying domain names for illegal purposes is a risky proposition. The names have to be registered and the owners can be located. But since a subdomain is not registered, it could be used for less ethical purposes. In the case of EFC, the web designer had gained access to an abandoned subdomain that still had server space. He sent an email to several thousand customers informing them that they need to opt-out of various mailings related to their accounts. It all looked legitimate except for three things. Legally a user must opt-IN to promotional use of their information and never be required to opt-OUT in order to avoid getting mailings. The first four digits of every card issued by a specific bank or bank system are the same. Therefore, having the first four digits of your account does not indicate the sender knows anything about you. And banks and credit card issuers do not ask for account information. They already have it. They might ask for proof of identity, a password that has been set up (not the ATM PIN), or last four digits of the SSN. But they’ll never ask for the account number.
The trickiest part of my late-night foray into the company’s intranet was identifying the perp without identifying myself. I was feeling pretty proud of myself for having solved the problem. I was ready to return to my life as a private investigator.
When I got to my desk, and logged into my laptop, I fully intended to email Arnie and resign, having fulfilled my contract. But as soon as my screen connected to the company network an alert box showed up in the middle of it. The message was simple.
“Little fishy in a brook. Little fishy on a hook. Just a little fishy.”
Please feel free to send comments to the author at nathan@nathaneverett.com.