E-Commerce Report; Gotcha! Private Internet police use stings to detect online fraud, and then call in the federal authorities.
MEMBERS of a ring suspected of Internet credit card theft received rude surprises last week when they opened U.P.S. packages to look for loot they had ordered online at Laptops4Now.com. Instead of the Sony Vaios and Microsoft Xboxes they had ordered, they received old John Grisham paperbacks and other random items signifying that they had just been caught in a sting.
The twist is that this sting operation was carried out not by law enforcement groups, but by a private antifraud company called CardCops.com, one of a small but growing number of private organizations acting as digital security forces against cyberthieves.
After sorting through the 29 leads they received from the sting, CardCops officials forwarded the information to law enforcement agencies.
”It’s a little bit controversial, setting traps,” said Dan Clements, CardCops.com’s chief executive. ”But there’s no other way to catch hackers and carders. You don’t read about any of the authorities going after them and getting them.”
Concerned Internet citizens have long aided the federal authorities in their quest to track down originators of computer viruses and perpetrators of child pornography and credit card theft, but until recently the practice has typically been limited to passing on clues they gather, not setting snares for suspects.
Federal law officials say they welcome the shift to more aggressive private policing, as long as the investigators do not put themselves in jeopardy or break the law. Legal experts say that the F.B.I. and other law enforcement agencies can use evidence from private sting operations in court without having to adhere to the higher standards that govern official sting operations.
CardCops.com, based in Malibu, Calif., is a year-and-a-half-old antifraud business financed by fees from credit-card issuers and online merchants. In late May, CardCops set up Laptops4Now.com after identifying Internet chat rooms it said were forums for credit card thieves.
Mr. Clements said Laptops4now ostensibly sold laptop computers and other goods that are popular among credit card thieves because they can be easily resold on the black market. Members of the CardCops.com team then logged on to the chat rooms, which Mr. Clements declined to identify, and spread word that Laptops4Now had lax procedures for verifying the validity of credit card accounts.
”Our guys floated this information to the chat rooms at 5 p.m., and within 12 hours we got 16 orders for about $27,000 worth of product.” None of the credit card accounts were actually charged for the transactions.
Logs of site traffic that help determine the location of the people placing the orders indicated that the would-be buyers were in Indonesia, Bulgaria and other foreign locations. ”But they had U.S. shipping addresses,” Mr. Clements said. Foreign credit card rings often operate with assistants in the United States, he said, because many e-commerce sites closely scrutinize foreign orders for fraud.
Mr. Clements said the aliases, e-mail addresses and other information gleaned about the people who placed the Laptops4Now orders pointed to the probable existence of a coordinated group of credit card thieves. He said the evidence his team gathered was now in the hands of the F.B.I., the United States Secret Service, the United States Postal Inspector’s office and the Los Angeles district attorney’s office. With the exception of the Secret Service, those offices declined to confirm that they had received the information.
”We’re still seeing which way we want to go with it,” James Todak, the assistant special agent in charge at the Secret Service’s Los Angeles High Tech Crimes Task Force, said of the CardCops leads.
Mr. Todak declined to say whether he would like CardCops to conduct additional stings. But Robert Pocica, supervisor special agent in the new cyber division of the F.B.I. in Washington, commended private online stings. ”I’m glad people want to take the initiative,” he said.
Mr. Pocica expressed concern that private citizens with little experience in antifraud efforts ”might put themselves in harm’s way or violate the law,” but said he had more confidence in ”associations and companies that maybe have more tools, resources and training to conduct this type of activity.”
Despite the F.B.I.’s recent efforts to beef up the agency’s computer-related crime force — the goal is 700 agents, compared with 270 now — Mr. Pocica said that if private citizens ”can do a lot of the front end of the investigations, it’s a lot easier for us.”
David Nesom, who directs the national emergency response service team for another private online antifraud firm, Internet Security Systems, in Atlanta, said the field was ripe for companies like his because ”law enforcement won’t take it or they don’t have the time to follow up on it.”
”It’s not a knock against them,” Mr. Nesom said. ”They’re just overburdened. When the F.B.I. looks at a caseload, they’ll take the most expensive, high-profile cases they can get, and ignore the ankle-biters.”
Like CardCops, Internet Security Systems has used sting operations to help put suspects into the authorities’ hands. Last October, for instance, it set a trap in London to catch a hacker who had broken into the system of an American bank in the Midwest, stealing debit card numbers and then demanding $50,000 from the bank in exchange for information about how he had hacked into the system.
The network intruder was from an Eastern European country Mr. Nesom declined to identify. Rather than fix the security hole and let the hacker walk free, Mr. Nesom lured him to England, which has an extradition treaty with the United States. When the hacker showed up, expecting a clandestine meeting with the bank’s chief executive, he was arrested by Interpol and F.B.I. agents armed with a warrant issued on the strength of evidence provided by Internet Security Systems.
Virtually all of Mr. Nesom’s 75 or so investigators have backgrounds in criminal law enforcement, he said, so they know how to avoid engaging in illegal entrapment that might render their investigations worthless.
But Jennifer S. Granik, clinical director at Stanford Law School’s Center for Internet and Society, said that entrapment issues were not a big concern anyway for private organizations acting independently from government law-enforcement officials ”because if there is no government agent involved, you have no entrapment defense.”
Ms. Granik, who also serves as a defense lawyer for suspects in computer hacking cases, said some courts were allowing defense lawyers to argue what is called a ”derivative entrapment defense,” when the government acts through a private citizen to snare a suspect. But even then, she said, the standard to show entrapment ”is extremely difficult to meet.”
Some online merchants say they welcome the rise of private antifraud investigators. That includes executives at CDUniverse.com, which was broken into by hackers in 1999 and which estimates that 5 to 8 percent of its orders come from people with stolen credit cards. Charles Beilman, CDUniverse’s chief executive, said the company had not been reporting any of the fraudulent orders ”because I’ve gotten the impression that nobody cares or that nothing would happen.”
When told about the CardCops.com sting, Mr. Beilman said: ”It sounds nice. We haven’t seen the Secret Service or anybody really work it hard, so we’ve just had to suck it up when it comes to credit card fraud.”