INFORMANTINFORMANT The magazine for professionals who support the prevention, investigation, and prosecution of economic and high-tech crime VOL. 4, NO. 1 , JULY - DECEMBER 2007

www.nw3c.org Join law enforcement officials and risk management professionals from across the U.S. and throughout the world to learn from model programs and to share best practices that address economic and high-tech crime at many levels. The Global Conference on Economic and High-Tech Crime features breakout sessions on: • International Banking • Cross Border and Global Identity Theft • Global Criminal Use of Social Networking Sites • Evidence Gathering Challenges from Wireless Devices

Featured Speakers include: • Patrick Kuhse, Convicted felon, Stockbroker and Entrepreneur • Steven Emerson, Executive Director of the Investigative Project on Terrorism • Charles Cohen, 1st Sergeant, Indiana State Police • Steven DeBrota, Assistant U.S. Attorney, Southern District of Indiana NORTHEAST (224) south central (239) Brookfield Police Department, MA Ashland Police Department, AL New NW C Members Beauregard Parish Sheriff’s Office, LA 3 Cumberland Police Department, RI Dover Police Department, VT Boone County Sheriff’s Department, AR Duxbury Police Department, MA Calcasieu Parish Sheriff’s Office, LA NW3C extends a warm welcome to the agencies listed below that became members between Epping Police Department, NH Decatur Police Department, TX February 2007 and July 2007! Greenfield Police Department, MA Dumas Police Department, TX Lincoln Police Department, RI Hot Springs Police Department, AR Madison Department of Police Services, CT Jacksonville State University Police Department, AL WA MT ND Naugatuck Police Department, CT Orange County Sheriff’s Office, TX Piedmont Police Department, OK MN New Canaan Police Department, CT ME Quincy Police Department, MA Rockwall Police Department, TX SD WI VT Rockland Police Department, ME Sentinel Police Department, OK OR ID MI NH Somerset Police Department, MA Southern Arkansas University Police Department, AR WY NY IA MA Stowe Police Department, VT Star City Police Department, AR NE CT PA RI Sutton Police Department, MA Texarkana Police Department, TX IL IN OH Tilton Police Department, NH Wolfforth Police Department, TX UT NJ NV CO MD KS MO DE U.S. Postal Service - Office of Inspector General - Boston Field Office, MA WV Westport Police Department, CT West (255) KY VA CA Woonsocket Police Department, RI Colusa County District Attorney’s Office, CA Deschutes County District Attorney’s Office, OR OK TN NC AR Fresno Police Department, CA AZ NM SOUTHEAST (571) SC 8th Judicial Circuit Solicitor’s Office, SC Las Vegas Department of Detention and Enforcement, NV MS AL GA Alpharetta Police Department, GA Lyon County Sheriff’s Department, NV Maui Police Department, HI TX LA Anderson County Sheriff’s Office, SC Appalachian Judicial Circuit Office of the District Attorney, GA Multnomah County Sheriff’s Office, OR Berkeley County Sheriff’s Office, SC Northwest Regional Computer Forensics Laboratory, OR FL Bibb County Sheriff’s Office, GA Oakland Police Department, CA Bowling Green Police Department, KY Prineville Police Department, OR Brunswick County Sheriff’s Office, NC Redding Police Department, CA Cabell County Sheriff’s Office, WV Ridgefield Police Department, WA U.S. Department of the Treasury - Alcohol and Tobacco Tax and Rolla Police Department, MO Great Lakes (614) Crescent Springs Police Department, KY San Diego Sheriff’s Department, CA Trade Bureau, DC Scott County Sheriff’s Office, MN Albany County Department of Probation, NY Dade County Sheriff’s Office, GA South Bend Police Department, WA U.S. Postal Inspection Service - New York Division, NY Albany Police Department, NY Sherman County Sheriff’s Department, KS Dickson County Sheriff’s Office, TN Sutherlin Police Department, OR U.S. Probation Office - Middle District of Pennsylvania, PA Bethesda Police Department, OH Shrewsbury Police Department, MO Dobson Police Department, NC U.S. Army - Directorate Emergency Services - Fort Lewis, WA Valparaiso Police Department, IN Chautauqua County Sheriff’s Office, NY Skokie Police Department, IL Edgewater Police Department, FL U.S. Department of Homeland Security - Immigration and Customs Enforcement - Reno Vincennes University Police Department, IN Clare County Sheriff’s Department, MI South Lake Minnetonka Police Department, MN Edgewood Police Department, KY Resident Office, NV Wellsboro Police Department, PA Cleveland Metroparks Ranger Department, OH Stearns County Sheriff’s Office, MN Florida Office of the State Attorney 14th Judicial Circuit, FL Yakima Police Department, WA Conneaut Police Department, OH Swift County Sheriff’s Department, MN Fort Mitchell Police Department, KY Cumberland County District Attorney’s Office, PA Midwest (422) Taylorville Police Department, IL Fredericksburg Police Department, VA Darke County Sheriff’s Office, OH 4th Judicial District - Department of Correctional Services, IA Two Rivers Police Department, WI Georgia Department of Banking and Finance, GA East Buffalo Township Police Department, PA Alton Police Department, IL U.S. Department of Agriculture - Rural Development Agency - Hancock-Brooke-Weirton Drug Task Force, WV JOIN NW3C! East Pennsboro Township Police Department, PA Ames Police Department, IA Information Systems Security, MO Henrico Commonwealth’s Attorney’s Office, VA Membership in NW3C is FREE! From the moment a law East Syracuse Police Department, NY Antigo Police Department, WI U.S. Department of Justice - Bureau of Alcohol, Tobacco, Hiram Police Department, GA Elizabethtown Police Department, PA Bellevue Police Department, NE Firearms & Explosives - Kansas City, MO Independence Police Department, KY enforcement agency joins NW3C, it becomes part of an Fairgrove Police Department, MI Bethalto Police Department, IL University Heights Police Department, IA Irmo Police Department, SC important network of opportunities. NW3C helps agencies Federal Bureau of Investigation - White Plains Burleigh County Sheriff’s Department, ND University of Illinois Police Department, IL Jacksonville Police Department, NC Resident Agency, NY Cherokee County Sheriff’s Office, KS Police Department, MO James Madison University Police Department, VA coordinate enforcement efforts to combat emerging Fishkill Police Department, NY Elmhurst Police Department, IL University of Wisconsin-Milwaukee Police Department, WI Kentucky Office of Alcoholic Beverage Control - Division of Enforcement, KY economic and cyber crimes. Based on membership Fountain City Police Department, IN Fairfield Police Department, IL Vernon Hills Police Department, IL Kentucky Office of Homeland Security, KY Gahanna Police Department, OH Farmington Police Department, IL Washington County Sheriff’s Department, WI Levy County Sheriff’s Office, FL classification, NW3C provides: Grandville Police Department, MI Fort Hays State University Police Department, KS Whitewater Police Department, WI Liberty University Police Department, VA Greencastle Police Department, IN Fulton Police Department, MO Wood Dale Police Department, IL Monroe Police Department, GA • Access to state-of-the-art training courses on financial and Hampden Township Police Department, PA Gurnee Police Department, IL Morehead Police Department, KY cyber crime investigation techniques. Hancock County Sheriff’s Department, IN Haven Police Department, KS International (16) Newnan Police Department, GA • Analytical services and expertise to help you handle and better Health Alliance Department of Public Safety, OH Hutchinson Police Department, KS New Brunswick Securities Commission, Canada Newton County Sheriff’s Office, GA Kent County Sheriff’s Department, MI Illinois Department of Financial and Professional Victoria Police Department, Canada Oak Island Police Department, NC prosecute complex financial crime cases. Kent State University Police Services, OH Regulation - Division of Insurance, IL Oconee County Sheriff’s Office, SC • Informational support through public records database LaPorte Police Department, IN Illinois State University Police Department, IL Mountain (234) Pender County Sheriff’s Office, NC searches from companies like LexisNexis, Choicepoint and ISO Logan County Sheriff’s Office, OH Independence Police Department, MO Arizona Department of Real Estate - Investigations Division, AZ Perry Police Department, GA Maineville Police Department, OH Jefferson City Police Department, MO Arizona State University Police Department, AZ Sanford Police Department, FL Claimsearch. Marion Police Department, OH La Vista Police Department, NE Cottonwood Police Department, AZ Sevierville Police Department, TN • Limited case funding for designated multi-state economic Miami County Sheriff’s Office, OH Lake Ozark Police Department, MO Davis County Sheriff’s Office, UT Snellville Police Department, GA crime investigations. Middletown Police Department, OH Lansing Police Department, KS Englewood Department of Safety Services, CO Spalding County Sheriff’s Department, GA • New York State Division of Criminal Justice Services Law and Justice Commission Mobile Training Unit 8, IL Globe Police Department, AZ Spring Hill Police Department, TN An understanding of high-tech and economic crime trends - Office of Audit and Compliance, NY Lawrence County Sheriff’s Office, MO Layton Police Department, UT Suffolk Commonwealth’s Attorney’s Office, VA using the resources and empirical data gleaned from NW3C Northville Township Police Department, MI Madison County Sheriff’s Office, IL Lone Tree Police Department, CO Sullivan County Sheriff’s Office, TN research. Orange Village Police Department, OH Manson Police Department, IA Mohave County Attorney’s Office, AZ U.S. Army Criminal Investigation Command - 12th Military Police Detachment - • Plattsburgh Police Department, NY Marshalltown Police Department, IA Montrose County Sheriff’s Office, CO Fort Eustis, VA A powerful network of colleagues to share ideas and insights Plumstead Township Police Department, PA Mitchell County Sheriff’s Office, IA New Mexico Taxation and Revenue - Tax Fraud U.S. Department of Homeland Security - Immigration & Customs Enforcement - on economic and cyber crime. Poland Village Police Department, OH Murray County Sheriff’s Office, MN Investigations Division, NM Office of Investigations, PR Portland Police Department, IN Oakley Police Department, KS Sevier County Sheriff’s Office, UT U.S. Department of Justice - Office of the Inspector General - To become a member or to get more information please visit Richland County Sheriff’s Office, OH Oneida County Sheriff’s Department, WI Springerville Police Department, AZ Washington Field Office, VA https://members.nw3c.org and fill out the Membership Richland Township Police Department, PA Ramsey County Sheriff’s Office, MN U.S. Attorney’s Office - District of Idaho, ID Waverly Police Department, TN Southfield Police Department, MI Raytown Police Department, MO U.S. Department of Homeland Security - Immigration and West Virginia Lottery, WV Request form or call 1-800-221-4424 ext. 309. Spring Lake-Ferrysburg Police, MI Reno County Sheriff’s Office, KS Customs Enforcement - Office of Investigations, UT Whitfield County Sheriff’s Department, GA Tippecanoe County Prosecutor’s Office, IN Rochelle Police Department, IL Vernal City Police Department, UT Winder Police Department, GA PLEASE NOTE: Membership is for agencies only. Individuals or York - Poquoson Sheriff’s Office, VA Total Member Agencies as of July, 2007: 2,575 private companies are not eligible.

2 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 3 Remembering Our Member Agencies’ Who can join NW3C? Membership with NW3C is by agency. There are Heroes Killed in the Line of Duty* two types of membership, Voting and Associate. To be eligible for membership, agencies must January 16, 2007 - July 15, 2007: have a nexus to the prevention, investigation or prosecution of economic crime, cyber crime or terrorism and must meet the criteria of one of ASK Trooper Jose A. Rosado Deputy Sheriff Jason Lee Saunders the following types: Member New York State Police, NY Campbell County Sheriff’s Office, VA Voting Membership: Services Trooper David Brinkerhoff Lieutenant Corey Dahlem State and local law enforcement New York State Police, NY Gainesville Police Department, FL agencies; state and local prosecutors; or state agencies with criminal investigative authority. Deputy Sheriff Alan Inzer Police Officer Thomas Devlin Calcasieu Parish Sheriff’s Office, LA Boston College Police Department, MA Associate Membership: Any law enforcement agency or division of a federal or foreign government; state or local government agency with no statutory criminal Police Officer Sean Wissink Lieutenant Delmar Teagan investigative authority; or duly constituted permanent task force. Des Moines Police Department, IA Florida Fish and Wildlife Conservation Commission, FL How can my agency join NW3C? Police Officer Charles J. Callemyn First check the list of members on the NW3C Web site. If another division of your agency is already a member, then your agency Durham Police Department, NC Police Officer Andrew Esparza would need to reapply and request membership for the agency, not just the individual divisions. Check out the Members Irving Police Department, TX Police Officer Anthony Jon Holly Web site at https://members.nw3c.org. Glendale Police Department, AZ Police Officer Jason Campbell Greenville Police Department, NC Patrolman First Class Brian Coleman Alexandria Police Department, LA Corporal Nick Samuel Polizzotto Have Membership Questions? South Bend Police Department, IN Recent comments Police Officer Stephen R. Jerabek Contact Barbara Shanes, Membership Services Supervisor, at from our St. Louis Metropolitan Police Department, MO Police Officer Luke T. Hoffman 1-800-221-4424, Ext. 336, or by e-mail at [email protected]. Montgomery County Police Department, MD members... Detective Keith Dressel Toledo Police Department, OH Deputy Sheriff Raul V. Gama “Thank you for all you Los Angeles County Sheriff’s Department, CA Thank You to Our Member Agencies for have done during this Sergeant Howard J. Plouff process and we look Winston-Salem Police Department, NC Officer Harry Joseph Coelho Referring New Members! forward to a long and Honolulu Police Department, HI continued association with Deputy Sheriff Kevin Carper Referring Member Agency New Member Agency

Spartanburg County Sheriff’s Office, SC Deputy First Class Hilery A. Mayo, Jr. Addison Police Department, IL Wood Dale Police Department, IL NW3C and its staff.” Steven George, Information St. Tammany Parish Sheriff’s Office, LA Bedford County Sheriff’s Office, VA Liberty University Police Department, VA Boone County Sheriff’s Office, KY Crescent Springs Police Department, KY Systems Technology Specialist Auxiliary Police Officer Yevgeniy Marshalik U.S. Department of Agriculture Fort Mitchell Police Department, KY New York City Police Department, NY Sergeant Linden Raimer - Rural Development Agency- Cumberland County District Attorney’s Office, PA East Pennsboro Township Police Department, PA St. Tammany Parish Sheriff’s Office, LA Information Systems Security Auxiliary Police Officer Nicholas T. Pekearo Federal Bureau of Investigation, NC Brunswick County Sheriff’s Office, NC Florida Highway Patrol, FL Southern Arkansas University Police Department, AR New York City Police Department, NY Patrolman Christopher Mirabal “Thank you for all of your New Mexico State Police, NM Georgia Bureau of Investigation, GA Spalding County Sheriff Department, GA Police Officer Russel Timoshenko Hillsboro Police Department, OR Northwest Regional Computer Forensics Laboratory, OR efforts.” New York City Police Department, NY Deputy Kelly James Fredinburg Naperville Police Department, IL Elmhurst Police Department, IL Ronald Palmer, Investigations Supervisor Marion County Sheriff’s Office, OR New York State Department of Taxation & Finance - Office of Inspector General, NY Albany County Department of Probation, NY Illinois Department of Financial Trooper Todd Holmes and Professional Regulation Department of Public Safety, TX Corporal Scott Wheeler Ohio Attorney General’s Office, OH Bethesda Police Department, OH Orange County Sheriff’s Department, CA Colusa County District Attorney’s Office, CA - Division of Insurance Howard County Police Department, MD Maine Revenue Services Senior Corporal Mark Timothy Nix Philadelphia Police Department, PA Plumstead Township Police Department, PA Police Department, TX Master Trooper David Rich Phoenix Police Department, AZ Springerville Police Department, AZ Indiana State Police, IN Piqua Police Department, OH Miami County Sheriff’s Office, OH “…you guys (girls) are Reynoldsburg Division of Police, OH Gahanna Police Department, OH Police Officer Sean Clark all so nice and helpful at Rhode Island State Police, RI Cumberland Police Department, RI Charlotte-Mecklenburg Police Department, NC Police Officer Dayle Weston Hardy NW3C...” Saratoga County District Attorney’s Office, NY Deschutes County District Attorney’s Office, OR Plano Police Department, TX Mary Ann Vallus, Securities Social Security Administration - Office of Inspector Police Officer Jeff Shelton Investigator General-Grand Rapids Field Office, MI Spring Lake-Ferrysburg Police Department, MI Charlotte-Mecklenburg Police Department, NC Sergeant Karl Strohsal Pennsylvania Securities South Carolina Law Enforcement Division, SC Berkeley County Sheriff’s Office, SC Commission Longwood Police Department, FL Suffolk Police Department, VA Suffolk Commonwealth Attorneys’ Office, VA Sulphur Police Department, LA Calcasieu Parish Sheriff Office, LA

*Source: The Officer Down Memorial Page, Inc. Web site, www.odmp.org

4 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 5 GREED: Financial Crimes Are Contributable to Social Pressures contents By David Johnston, Enforcement Analyst, NW3C NW3C Board FEATURE ARTICLES of Directors 5 NW3C Members Corner ocial pressures often The media plays a huge part in these perceptions; fueling de- A Team Approach to make people feel sires for material possessions. Realistically speaking, some people 7 Greed: Financial Crimes are Contributable Combating Identity Theft Chairman financially inad- have no way of acquiring some of these material possessions; to Social Pressures pg. 25 Glen B. Gainer, III equate. With greed especially the wealthy who aspire to attain things that are be- 9 Los Angeles County District Attorney Fraud taking over, there yond considerable means. The only means of obtaining such The Changing Complexities Vice Chairman 1 Interdiction Program Sis nothing left to do besides items are illegal . of Identity Theft Brian Flood embezzle money. Often it 11 Instructor Spotlight: William Mosher Investigations is those who already have Embezzlement in the workplace is increasingly common as so- 12 Training Course Descriptions and pg. 27 Secretary money who feel the financial strain caused by greed. They feel ciety begins to dictate what lifestyle is acceptable. It is a fact of Christopher Cotta Schedule that social acceptance is based on what vehicle they drive, how life that most everybody wants to be accepted by society. The Improving Identity Theft big of a house they own and the clothing they wear. As soon problem is figuring out how to live the accepted lifestyle when 20 Behind the Scenes of NW3C’s Identity investigations Treasurer as they are trumped by another, greed takes over. They need you cannot afford to do so. Theft Investigations Training Course pg. 28 Paul Cordia to go bigger and better than anyone else, the question is: Can 22 Fraud Costs Canadians More Than Just they afford it? There are few ways to make money outside of working for it. USPIS: A Leader in Fight Even fewer are the ways to make money, aside from working for Dollars Against Identity Theft Regions It is amazing how far people will go to keep up with societal it, which are legal. Legally, you can make extra money by winning 36 Real ID Act pg. 30 Great Lakes: pressures. Greed is a dangerous game that so many get wrapped some sort of a lottery, obtaining a large inheritance, or coming up in. It is a downward spiral with few legal escapes. A game of out ahead at a casino. The problem is that none of those are 38 Internet Scams, Cons and Theft The UK Seeks Solutions Philip Rosenthal “Financial Russian Roulette” can only go on for so long before guaranteed. Realistically, the odds are stacked against you. 39 Case Investigation Highlights: to Identity Fraud Through Midwest: one slip can bring it all crashing down. • Identity Thief Makes Fake Identification Legislative Improvements Paul Cordia Illegally, you can obtain money through force, such as armed Cards, El Paso, TX pg. 32 For those of us who are not overly wealthy, we like to believe robbery of a bank. Or, if you cannot bring yourself to forcefully that money is not everything. We place wealth on items such as steal money, you can embezzle. Embezzlement is growing in • Controller Scams Major Gas Conglomerate, The Fight Against Identity Mountain: Kathleen Kempley good health and happiness. Therefore, it is hard to quantify why popularity because it is actually relatively easy to perpetrate. Clermont County Sheriff’s Dept. Fraud (EU, UK, FR, Germany & those who are extremely rich need more money. The answer is You can embezzle money sitting behind a desk shielded by a • 51 Arrested in Identity Theft Ring, Netherlands) Northeast: that the rich define wealth in a different way. Wealth is deter- computer. Risk is decreased, but the reward is just as great, if mined by how much power you have and power is determined not greater. than a forceful robbery. Richmond Police Dept. pg. 34 Christopher Cotta by how much money you hold. 42 Wireless Network (In) Security South Central: Modern technologies and complex business structures have aided 45 Tracking Anonymous Internet Surfing Brian Flood So much of our daily life is dictated by what we can or can- in fueling the embezzlement fire. By making things not afford. When you see someone driving a luxury automobile more complex, it is harder for a bystander 46 Web Bugs Southeast: and living in an oversized house the first thought that comes to suspect anything and equally as hard Michael Brown to mind is “that person must have a lot of money.” Probably for an investigator to trace the crime the second thought is “I wish I could afford those things.” The back to an individual. With a few clicks West: point is we classify people based on the possessions that they of a mouse, a perpetrator can move Michael Stevenson have or do not have. money from a corporate account into his own pocket. With a few adjustments It does not stop at vehicles and homes either. We judge people to financial records, nobody suspects by how they dress, what schools their kids go to, the lavish va- anything to be amiss. cations they take, what country club they belong to, so on and editorial staff so forth. Society is full of these judgments. Nobody wants to be There are two perspectives that loreal bond • lindsey bousfield • barbara shanes • laura kenny • cam brandon • april tillar • regina potis • marcie williams known as the poor person who shops at the thrift store, drives need to be considered in this a rusted out automobile, and lives in an inner city loft above matter. The first perspective is This project was supported by Grant No. 2006-MU-MU-K002 awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delin- the local businesses. We would much rather be viewed as the that the people without the means quency Prevention, and the Office for Victims of Crime. Points of view or opinions in this publication are those of the author and do not represent the official well off person living in suburbia; whether or not we can afford to afford an acceptable lifestyle will position or policies of the United States Department of Justice. The National White Collar Crime Center (NW3C) is the copyright owner of the Informant. This it. The reason for this is that the not so well off are considered steal money so they can afford luxu- information may not be used or reproduced in any form without the express written permission of NW3C. This publication is also available for download in to be social outcasts. ries. The second perspective refers to the PDF format at www.nw3c.org. For questions or additional information, please contact Marcie Williams, Communications Manager, at [email protected]. ©2007. NW3C, Inc. d/b/a the National White Collar Crime Center. All rights reserved. www.nw3c.org 7 people who have luxuries, but have overspent their wealth and single one of these embezzlers succumbed to greed. They had are now in debt. to be bigger and better than the next person. The Los Angeles County District Attorney The most common perpetrators originate from the middle class of How did the media provoke these actions? One example is the society. However, the biggest threats are those in the upper class yearly ranking of the world’s billionaires and the richest Americans Fraud Interdiction Program because they wish to obtain items beyond considerable means. by Forbes, which assigns each individual a power ranking based Because the financial burden is often greater for the upper class, on how much income he/she earned in the past year. This the size of their crimes needs to be larger as well. takes me back to my original definition of how the rich define wealth. Wealth is determined by how much power you have and By Albert MacKenzie, Deputy-In-Charge, Fraud Interdiction Program Furthermore, the upper class has power is determined by how much and David Berton, Prosecutor, L.A. County District Attorney’s Office a greater ability of shielding em- money you hold. Of course this is bezzlement from onlookers. This not the only source that ranks power is best proven by a 1953 study and money, but it is among one of embezzlers by Donald Cressey, of the most popular rankings and in which he concludes that while a strong example of how greed is Program Beginnings achieved through a partnership of more than most offenders appeared to be powered by social pressures and n 2004, Los Angeles County District Attorney Steve Cooley ten State and Federal agencies including the successful they were actually mired the media. initiated a unique pilot program to more effectively deal with Centers for Medicare and Medicaid Services, the in debt2. the healthcare fraud crisis. It is called the Fraud Interdiction United States Department of Health & Human As long as society continues to rank Program. Healthcare fraud adversely affects workers’ com- Services, the Federal Bureau of Investigation Why focus on the upper class individuals based on money there Ipensation, general health insurance, Medi-Cal, Medicare, and (FBI), major health insurance payers and other when everyone has the ability will be an increasing problem with automobile insurance with enormous costs to both businesses concerned organizations. The District Attorney to embezzle? The answer is the embezzlement. There will be a con- and individuals. for Los Angeles County is sharing this model upper class is awarded more stant need to out-perform those who approach with other counties within the State opportunities to embezzle than you consider to be close competi- Traditional methods of investigation are too slow and cumber- of California and also with other states. Statutes anyone else. Within a company, tion. Middle class citizens will feel some to sufficiently prosecute the numbers of permitting, CMS would be interested in the upper class represents those the need to financially out-wit the criminals engaged in these crimes. Additionally, pursuing this on a federal level.” in high ranking positions, such as other middle class citizens. Likewise, Medicare and Medi-Cal fraud cases frequently A New, Yet Old Approach the chief executive officer or chief financial officer. Executives not upper class will want to financially out perform the other upper involve elderly patients with limited memory and The Fraud Interdiction Program uses an approach only have very few people looking over their shoulders, but they class members. Economic crimes (embezzlement) are influenced mobility. When a healthcare provider submits a developed years ago to incarcerate the notori- also have access to more funds than the common worker. Due by television and advertising, which promise that no one has to fraudulent bill for services, allegedly rendered ous gangster Al Capone, for tax evasion or tax to these factors, embezzlement by executives creates a larger settle for second best5. q to the patient, it may be impossible for an fraud. The key to the program is participation financial impact. investigator to interview the patient due to by all healthcare payers including governmental References the patient’s mental infirmity. An investigator’s agencies such as Medicare, insurance compa- In the past ten years, there have been many cases where the efforts can also be thwarted when the patient nies, and self-insured businesses. upper class has embezzled millions just to keep up with society’s 1. Association of Certified Fraud Examiners, The. 2007 Fraud Examin- is an accomplice to the healthcare fraud, such expectations. In 2005, Dennis Kozlowski (CEO, Tyco), in conjunction ers Manual. ACFE, 2006-2007. as a fraudulent workers’ compensation case Once a suspect healthcare provider is identified, an with Mark Swartz (CFO, Tyco), was convicted for misappropriat- in which an employee fabricates an injury or e-mail is sent to program participants asking them ing over $600 million. Kozlowski made plenty of money off of 2. Weisburd, David, et al. Crimes of the Middle Classes. White-Collar enlists the help of a corrupt medical provider. to disclose the gross amounts paid to the suspect the stock market, but that was not enough for him. While with Offenders in the Federal Courts, p. 65n. New Haven: Yale University Surveillance of the employee often discloses for the past six years. The suspect’s accumulated Tyco, he purchased real estate valued at over $18 million and Press, 1991. that the employee does not suffer the claimed payment information is then forwarded to a criminal threw a $2 million birthday party3. injuries. The corrupt healthcare provider who investigations supervisor at the California Franchise 3. MSNBC. “High-living CEO stole from Tyco, jury finds. Associated facilitates the claim can simply state that they Tax Board. If the suspect failed to file returns or Another example is the Adelphia scandal, which placed the Regis Press, 2005. relied on the employee’s statements regarding under-reported state income taxes owed, the Dis- family in some deep water. John Regis (CEO, Adelphia) was their injuries. trict Attorney’s Office is notified and provided with accused of stealing over $66 million and using an additional 4. Kagan, Daryn. News Conference on Arrest of Former Adelphia Ex- Healthcare Fraud A National Problem appropriate documentation from the Franchise Tax $13 million in corporate funds to build a golf course on his ecutives. CNN, 2002. Board. A substantial percentage of medical professionals or organized 4 On March 20, 2007, the Honorable Leslie Norwalk, the Acting property . Of course, there are a couple other notables as well; crime elements engaged in healthcare fraud do not file state income Administrator for the Centers for Medicare and Medicaid Ser- Bernie Ebbers (WorldCom), (), 5. Weisburd, David, et al. Crimes of the Middle Classes. White-Collar tax returns or grossly under-report their incomes. In either scenario, this vices (CMS) testified before the United States Senate Homeland (Enron), and Martha Stewart (Martha Stewart Living Omnimedia) Offenders in the Federal Courts, p. 184. New Haven: Yale University conduct equates to criminal tax evasion. being among the most popular. Press, 1991. Security & Governmental Affairs Permanent Subcommittee on Investigations. She discussed the enormity of Medicare benefits Major advantages exist with the tax evasion prosecution approach. for 2007, projected at $454 billion. In discussing the goals of In all of the previously cited cases, the embezzler was a top First, a criminal investigation can be opened and felony tax charges fighting insurance fraud and collecting on the tax debts of physi- ranking executive with their respective company. Similarly, the developed in a brief amount of time. The process is so ef- cians, the Honorable Leslie Norwalk stated: offenders were already wealthy, but felt the pressure to steal ficient that some viable felony tax cases actually developed on more in order to obtain the most extravagant items. Why did the very same day the suspect was identified and an inquiry “The Los Angeles County Fraud Interdiction Pro- they embezzle the money? They felt the social pressure to do made. Second, felony tax fraud charges have statutes of limita- gram is one of the best examples of ongoing so. In order to stay in the financial spotlight with people like tions which are longer than traditional insurance fraud charges. collaborative work at the intersection of health Michael Dell (Dell Computers), Warren Buffet, and Bill Gates Third, this approach focuses on the higher echelons of culpable care fraud and tax evasion. This collaboration is (Microsoft) they felt the need to attain the unattainable. Every criminals, such as corrupt professionals including physicians

8 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 9 and attorneys. In addition to tax fraud charges, money-laundering statutes can be used to increase prison sentences. The Consequences Prison time is not the only consequence that faces healthcare fraud perpetrators. Other consequences of conviction include suspension and surrender of medical licenses, seizure/forfeiture of assets and, as appropriate, deportation. California’s Business and Professions Code states a physician’s license may be suspended or revoked for unprofessional conduct, which substantially relates InstructorInstructor to the doctor’s qualifications, functions or duties. According to the California Medical Board’s Web site, tax evasion is a crime which can lead to revocation or suspension. Furthermore, a convicted felon is not eligible to be a Medicare provider. Awards The program has received numerous awards including the Los Spotlight Angeles County Quality and Productivity Commission’s Silver Eagle Spotlight award in October 2006. q asset seizures as well as identity theft and embezzlements. The “The training Unit is also responsible for providing the Treasury Department’s About the Author Financial Crimes Enforcement Network data to all state and local environment allows law enforcement in upstate New York. Albert MacKenzie, Deputy-in-Charge of the Fraud Interdiction Pro- gram, is a veteran trial attorney with over thirty-three years of pros- me to learn from the Before becoming Senior Investigator for his unit, Mosher served ecutorial experience. He has tried many high profile cases. Mr. MacK- class...” as a trooper with the New York State Police, serving in that enzie spent thirteen years in the Major Fraud Division where he tried position since 1986. He is a trainer for many defendants for white-collar crimes. He is in high demand to djunct Instructor, William Mosher, is the Financial Crimes Enforcement Network lecture and train other prosecutors and investigators. Currently, his an instructor of the FIPS (Financial (FinCEN) and the New York State Department goal is to expand the Fraud Interdiction Program in Los Angeles Investigations Practical Skills) and of Criminal Justice Services. In addition to County and share the methodology with other jurisdictions. the WCCAT (White Collar Crime and NW3C courses, Mosher instructs all new ATerrorism) courses. He has been teaching with State Police Investigators in financial crimes David Berton is an award winning prosecutor with over twenty years NW3C since 2002. “The training environment and money laundering investigations at the experience prosecuting criminals. His notable assignments have in- at NW3C courses allows me to learn from Bureau of Criminal Investigations Basic cluded Sex Crimes, Child Abuse and Domestic Violence, Sexual Vio- the class while I attempt to share what has School. q lent Predator, Major Fraud and the Fraud Interdiction Program. With worked for us here in New York,” commented a reputation for his attention to details and preparedness, he is an Mosher, “We share our experiences about invaluable asset to the Fraud Interdiction Program. what works and our frustrations with the obstacles we encounter.” “What I love about Interested parties can contact the Fraud Interdiction Program at 201 North Figueroa Street, Suite 1500, Los Angeles, California 90012, Tel Mosher explains that while instructing a teaching for the 213-580-3357 or 213-580-3348, Fax 213-202-5954 or at albert- class he tries to moderate a discussion [email protected]. rather than lecture, allowing students to William Mosher NW3C is the discover various methods used by their NW3C Adjunct Instructor and Pauline Tannous and Ruzanna Poghosyan are law clerks with the fellow classmates and investigators. In Senior Investigator, Financial Crimes opportunity to meet Fraud Interdiction Program who contributed to this article. addition to his role as instructor for the Unit, New York State Police Department and interact with WCCAT course, Mosher was also involved in the development of the class. law enforcement all “What I love about teaching for the NW3C is the opportunity over the country.” to meet and interact with law enforcement all over the country. The opportunity to teach for NW3C has allowed me to make friends all around the country. When I need help there’s usually someone to call and I’m here to help any way I can in New York.” If you are interested in becoming an adjunct instructor Since 2001, Mosher has served as the Senior Investigator in charge for NW3C please contact Dale Smith, Training of the New York State Police Financial Crimes Unit. His unit Manager, at 877-628-7674, Ext. 262, or by e-mail at is responsible for assisting with the financial aspects of criminal [email protected]. investigations. These investigations include money laundering and

10 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 11 Course Descriptions in any one of the tools, but rather to allow one to get a imaging and processing of seized media. The student will trainfeel for the tools to assist i in deciding whichn one closely walk through ag case from previewing to the final reports CYBER CRIME COURSES fits their current needs. Students will be introduced to and will be able to effectively conduct salvage, file signature NW3C’s ACIAPT Training Course each application through an instructor-led, hands-on scenario. analysis, registry analysis, hash analysis, deconstruction, CYBERCOP 101 - (BDRA) Basic Data Recovery Students will then process a total of three separate scenarios keyword searches and more on seized evidence. It does Gets Certified by the Department of and Acquisition individually, with instructor assistance as needed. not teach basic forensics, but rather how to use the tool Homeland Security to perform forensic examinations. Many of the built-in This 4-day entry level course is for those that are just Eligibility for attendance in the class requires that students automated short cuts will be presented, which will assist starting with computer investigations. If you are a have completed previous training such as Cybercop 101 in better case preparation and analysis. criminal investigator, prosecutor, or support staff whose (BDRA) or the equivalent. The Federal Emergency Management Agency, National Preparedness duties include the investigation and prosecution of It is expected that the students already know forensic Directorate, National Integration Center’s Training and Education CYBERCOP 201 - (IDRA) Intermediate Data Recovery high-technology crimes and the seizure of electronic processing issues. This course requires the applicant to Division announced the certification of NW3C’s Advanced Criminal and Analysis evidence, this course could be of benefit to you. It teaches have completed previous training in Cybercop 101 (BDRA) Intelligence Analysis to Prevent Terrorism (ACIAPT) on June the fundamentals of computer operations, hardware, and or the equivalent and students MUST be employed by a 15, 2007. This 4 1/2-day course is designed to be the “sequel” to how to protect, preserve and image digital evidence. This law enforcement agency. the Cybercop 101 (BDRA) course. It covers the forensic class will introduce participants to the unique skills and The training will be listed in the catalog of approved courses published examination of Windows®-based operating systems on a CYBERCOP 203 - (E-MAIL) Windows® Client E-mail methodologies necessary to assist in the investigation by the Training and Education Division as course AWR-158. FAT File System, and includes things such as processing the Data Structures and prosecution of computer crime. NW3C curriculum developers worked with experts from law Recycle Bin, the swap file, the registry, long file names, date and time information and other Windows® features. This 4 1/2-day course outlines the protocols utilized in e- enforcement, military and national security intelligence organizations Cybercop 101 (BDRA) includes hands-on instruction and mail delivery and retrieval, reviews e-mail headers, discusses to develop the ACIAPT course. discussion about such topics as evidence identification Topical areas include LBA and hard drive access, partition table spoofing, and teaches the forensic examination of systems and extraction, hardware and software needed to do The training is for law enforcement analysts, investigators, and other reconstruction, advanced imaging and restoration, recovering where specific e-mail clients have been used such as Microsoft a seizure, high-tech legal issues and more. The online public safety personnel who have completed a basic intelligence data from the registry, recovering Windows®-based passwords Outlook®, Outlook Express®, AOL®, and several of the component must be taken and each student must test analysis training course. The training includes instruction and practice and processing the swap file, slack space and unallocated space, Web-based e-mail programs such as MSN Hotmail®. This out of it prior to being confirmed in the course. in methodologies necessary to analyze a complex combination alternate media, print spool files, and application metadata. course is designed to be an in-depth introduction to e-mail of all-crimes information in order to find indicators of potential It also includes a comprehensive discussion of how partition client forensics. This course does not cover e-mail recovery This course is designed for individuals who already terrorist activity. Students will examine and analyze communication tables work, processing alternate media such as memory from servers, only from the local computer. possess a good understanding of computers and common records, financial data, criminal incident reports, bulletins and cards, CDs and DVDs and advanced imaging issues. software applications. In addition, many of the forensic open-source information. Eligibility for attendance in the class requires that the students computer applications used in the class are executed The class is scenario-based, with the students examining have completed previous training such as Cybercop 101 (BDRA) or During the 5-day training, participants will: from the DOS command line, making knowledge of a suspect’s hard drive through the course of the week, as the equivalent and have experience drawn from the application of • Use analytic techniques to find patterns, and develop useful basic DOS commands essential. well as additional pieces of evidence. the techniques utilized in the Cybercop 101 (BDRA) training. intelligence products, charts, and briefings. Eligibility for attendance in the class requires that the students CYBERCOP 102 - (AFT) Introduction to Automated CYBERCOP 301 - (NTx) Windows NT® Operating • Use case studies to look at ways to reduce analytical biases. have completed previous training in Cybercop 101 (BDRA) or the Forensics Tools Systems and the NT File System • Draw conclusions and develop tactical and strategic equivalent and have experience drawn from the application of the recommendations from their analysis. techniques utilized in the Cybercop 101 (BDRA) training. • Learn and discuss ways to increase the effectiveness of their Cybercop 102 (AFT) is a 4-day course that serves as an Cybercop 301 is a 4 1/2-day course that is designed to be agency’s role in the bigger picture of Homeland Security. introduction to Automated Processing applications. The CYBERCOP 202 - (ILook) ILook® Automated Forensic an introduction to processing issues related to the Windows course provides an overview of the use and features of Application NT®, Windows 2000®, and Windows XP® operating systems. Funding for ACIAPT and two other computer forensic courses that three popular automated tools: ILook®, Encase® and Topical areas include a detailed look at the New Technology are nearing certification was made possible through a Department FTK (Forensic Tool Kit®). Cybercop 202 (ILook) is a 4 1/2-day course that serves File System (NTFS), the encrypting file system (EFS), dynamic of Homeland Security Cooperative Agreement. as an overview of the most used features of ILook® disks, directory junctions, volume mount points, and processing This is a basic class dealing with common issues found in issues such as recovering erased files, examination of the page Check the NW3C training calendar for dates and locations of Investigator. It includes the IXImager to create a duplicate processing computer-based evidence. One day is spent file, unallocated space and slack space, recovering information the ACIAPT training. q image of the hard disk and the examination of several with each of the forensic tools in examining suspect hard drive partitions. The multiple aspects of this from the registry and methods of gaining operating system and systems. This course is not designed to produce “experts” GUI-based forensic suite are presented with emphasis on file system access.

12 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 13 Coursetrai Descriptions ning Eligibility for attendance in the class requires that the students and training that will allow them to teach the course on their own, Cyber-Investigation 201 (BOTS) gives an overview of the FCAS (Financial Crimes Against Seniors) have completed previous training in Cybercop 101 (BDRA) and with support from NW3C. The course is designed to be taught by investigative considerations, ISP clients, searching newsgroups, Cybercop 201 (IDRA), or the equivalent and experience drawn non-technical instructors. Instructors with varying investigative peer-to-peer networking/e-mail and emerging techniques. An The FCAS training adds to students’ investigative skills and from the application of the techniques utilized in the Cybercop backgrounds will be able to grasp the concepts and materials online component must be taken and each student must interviewing techniques to prepare them to more successfully 101 (BDRA)/Cybercop 201 (IDRA) training. necessary to teach the course. test out of it prior to being confirmed in the course. pursue cases of financial exploitation of seniors.

CYBERCOP 302 - (INET) Windows® Internet Trace The ISEE-IDP training will consist of a 3-day training event Fast CyberForensic Triage (FCT) NW3C curriculum developers worked with experts in elder Evidence presented at several locations across the country. After abuse and financial exploitation from many areas of the attending the IDP course, ISEE Instructors will determine This 3-day course will introduce investigators and first responders country to construct this 3-day class. This 4-day course is designed to teach the recovery of “trace when and where to sponsor a class in their area. NW3C to the process known as Fast CyberForensic Triage. Fast forensics evidence” that is left on a computer system as a result of the will post the course on our Web site for student registration is defined as “those investigative processes that are conducted Adult protective service investigators are also encouraged use of the Internet. It covers information about the use of and will provide all of the course materials, student roster, within the first few hours of an investigation, that provides to attend this training, since the multi-agency approach to Internet Explorer®, ®, AOL®, and several of the instant and certificates for the course. Continued updates tothe information used during the suspect interview phase. Due to these crimes has a proven record of success. messaging tools like Yahoo®, AIM®, and MSN Messenger®. curriculum will be provided to the ISEE Instructor. the need for information to be obtained in a relatively short This is NOT an “Undercover Investigation” course! time frame, fast forensics usually involves an on site/field The training helps begin the networking process that can Any individual interested in becoming an ISEE-IDP Instructor analysis of the computer system in question.” continue out of the classroom and into real cases, capitalizing Topical areas include the recovery and examination of will be able to register through NW3C’s Web site. Once on the strengths of each type of agency. cookies, cache, history files, and auto-complete information sufficient applications have been received, the IDP course Introduction to Securing Law Enforcement Networks (passwords); Instant Messenger registry and file structure location will be selected and applicants within that area (ISLEN) FIAT (Foundations of Intelligence Analysis Training) information; AOL Client/Communicator® stored-mail, buddy will be notified. lists, address books and more. This 3-day course is designed for smaller departments to assist The need for well-trained intelligence analysts has become CYBER-INVESTIGATION 101 - (STOP) Secure Techniques in the securing of their networks. The course helps network Eligibility for attendance in this course requires the students more critical in recent times. Law enforcement, military for Onsite Preview administrators/officers by providing tips and techniques for securing have completed previous training in Cybercop 101 (BDRA) and national security entities all require skilled analysts to their network and covers items such as host-based security, and Cybercop 201 (IDRA), or the equivalent and experience Cyber-Investigation 101 is a 2-day course that is intended for interpret growing amounts of information. physical security, LAN-based security and perimeter security. drawn from the application of the techniques utilized in the probation/parole, detectives, and officers conducting “knock To address this need, much work has been done in the Cybercop 101 (BDRA)/Cybercop 201 (IDRA) training. and talk” interviews or spot checks and home visits. past few years to develop effective training in the field of

ECONOMIC CRIME COURSES intelligence analysis. NW3C has capitalized on the lessons CYBER-INVESTIGATION 100 - (ISEE) Identifying This class utilizes a Linux-based bootable CD to preview learned from previous training initiatives in its development of and Seizing Electronic Evidence a suspect’s computer system for potential evidence in a Analyst’s Notebook® 6 by i2, Inc. the Foundations of Intelligence Analysis Training (FIAT). forensically sound manner. The CD is based on the Linux Cyber-Investigation 100 (ISEE) is designed to instruct participants operating system, and it has the advantage of being able This introductory course provides hands-on training in this The 5-day, 40-hour training covers the following topics: in the basics of recognizing potential sources of electronic to “read” other computer system’s files without writing to powerful analytical software tool. Analyst’s Notebook® 6 by i2 Introduction to Intelligence Analysis evidence, preparing them to respond to an electronic crime or altering the data on those systems. gives law enforcement the ability to visualize and analyze large • History of Intelligence Analysis scene, and to safely and methodically preserve and collect items amounts of investigative data. This course lays the foundations • Purpose of Intelligence Analysis of evidentiary value to be used in court proceedings. CYBER-INVESTIGATION 201 - (BOTS) Basic Online of the software capabilities and gives the user the skills to Technical Skills • Intelligence Models create basic link and timeline charts, allowing investigators • Intelligence Cycle Consisting of six hours of instruction, this particular course and analysts to bring clarity to complex investigations. utilizes advanced adult learning skills. It takes the participants This 4 1/2-day course is designed for the officer who is • Legal Issues through a process and methodology that can be presented new to on-line investigations, or for officers whose agencies In this 5-day training course, attendees will learn how the • Resources either in a basic recruit academy atmosphere or in an in- are setting up an online investigation unit. The course will software can help in revealing patterns and hidden connections Intelligence Analysis as a Thought Process service training situation. teach the basic technical skills involved in setting up an in the available investigative information. Students will also • Fundamentals of Logic under-cover account, how to conduct and document real- learn how to create useful charts for presenting information Cyber-Investigation 100 (ISEE) is an Instructor Development Project • Critical Thinking time chats, instant messaging, and other on-line, real-time to others in an easily understandable form. • Creative Thinking (IDP) course. In an IDP course, participants are trained to instruct evidence acquisition, logging, etc. the ISEE course. They are supplied with all of the course materials • Inference Development

14 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 15 Coursetrai Descriptions ning • Recommendations robberies, to highly complex and organized criminal analyze financial records, and present evidence in written • Employ investigative techniques to analyze financial • Development enterprises. reports, graphical depictions, and testimony in court. evidence

Analysis Methods and Skills This 3-day course is intended for law enforcement, criminal FREA’s 5 Course Sessions: • Assist in an effective criminal prosecution of the case • Introduction to Methods and Skills intelligence analysts and prosecutors who may be involved with • Introduction to Analysis • Crime Pattern Analysis identity theft cases. Students will acquire an increase in awareness • Financial Crimes Economic Crime Foundation Series (ECFS) • Association Analysis of the “bigger picture” of identity theft. They will also learn to • Analysis of Financial Records • Flow Analysis recognize ID theft indicators and the potential nexus to terrorism • Presentation Techniques NW3C’s first complete Online Distance Learning Program, • Strategic Analysis and larger-scale criminal activity. The training promotes multi- • Courtroom Activity The Economic Crime Foundation Series (ECFS), consists • Communication Analysis agency and private-sector collaborations and teaches investigative of five self-paced introductory level courses: Introduction • Financial Analysis best practices that lead to successful prosecutions. WCCAT (White Collar Crime and Terrorism) to White Collar Crime, Elder Fraud, Identity Theft, Disaster • Indicator Development Fraud, and Money Laundering. Access the following classes • Products of Intelligence This interactive, scenario-driven course presents: When state and local law enforcement and regulatory with your Username and Password on the NW3C “Members • Reports and Presentations • Investigative tools, techniques, and resources for personnel pursue the perpetrators of financial crimes, they Only” Web site at: https://members.nw3c.org or ask your investigating identity theft crimes. can no longer be confident that the white collar crime agency representative for more information. FIAT is intended for law enforcement and regulatory personnel who criminal is prompted by greed and has a goal of “the have not received formal, basic intelligence analysis training. • The “criminal tools of the trade” so students good life.” It is entirely possible that what appears to be Introduction to White Collar Crime can learn about and recognize the low-tech and a commonplace, low-level economic crime is a small cog Familiarize yourself with the most common types of white FIPS (Financial Investigations Practical Skills) high-tech paraphernalia used by identity theft criminals. on a wheel of organized efforts to terrorize and harm collar crime. Learn about financial crime investigation America and Americans. and interview techniques. Find out where to go for This course provides “hands-on” training designed specifically to • The basics of identity theft for financial gain, as important free resources. Law enforcement and criminal justice personnel must be address the particular interests and needs of white collar crime well as identity theft for concealment, such as for prepared to identify these cases when they present themselves Elder Fraud investigators. Working as part of a multi-agency task force, terrorism or avoidance of prosecution. and then see them through to successful prosecution at Understand why seniors are targeted for financial crimes. participants develop the practical skills, insights and knowledge the state and local levels. These cases are no longer solely Learn to recognize key indicators of their victimization. necessary to manage a successful financial investigation from • Proactive and reactive approaches to identity theft that within the purview of the federal government. Receive tips on conducting investigations and interviews start to finish, including: identifying and addressing complex provide students with practical investigative experience. with elderly victims. criminal activities; organizing and documenting critical evidence; A proactive response is needed when ID theft indicators Introduced in 2005, this training is a mix of interactive and presenting a case for prosecution. are uncovered during the investigation of other crimes exercises or discussion sessions and lectures by experts in Identity Theft such as in drug raids; while the reactive response their fields. The major subjects addressed in this course Understand the many faces of this crime and why This training will especially benefit investigators, auditors, deals with complaints initiated by victims. are domestic and foreign terrorist groups, identity crimes everyone is a potential victim. Receive tips on creative prosecutors, paralegals, financial analysts and regulatory (including theft), money laundering, securities violations ways to investigate these cases. Learn vital prevention personnel who are learning the fundamentals of conducting FREA (Financial Records Examination and Analysis) and prosecuting cases using the state RICO-type laws. techniques. successful financial crime investigations. Financial investigations are becoming more complex, requiring This course is intended for experienced investigators, analysts, Disaster Fraud The 5-day, 40-hour training covers the following topics: law enforcement agencies to concentrate resources and auditors, prosecutors, paralegals, regulatory personnel and Become familiar with the that often abound after Day 1: Overview of white collar crime, criminals, victims, skills to resolve these crimes. A thorough investigation of all others involved in the investigation and prosecution major disasters. Learn measures to minimize victimization and the investigation financial records is imperative to determine and document of financial crimes. The goal of the training program from disaster frauds. Receive materials to use in educating, Days 2 and 3: Conducting a financial investigation whether or not suspected financial fraud is occurring between is to provide working professionals with training in the alerting and reminding consumers about frauds. Day 4: Packaging and presenting findings and evidence individuals and/or organizations. areas needed to address this new twist to financial crime Day 5: Mock trial investigation and prosecution. Money Laundering The course teaches investigators, analysts, examiners, auditors, Learn how money laundering works and why it is important Identity Theft Investigations Training prosecutors and other legal professionals the latest techniques At the conclusion of training, participants will be able to: that you know about it. Understand how local businesses in records analysis. This course is designed to develop • Identify identity crimes, securities violations and may support terrorist activities. Find out about state-level Identity theft exists in every strata of crime, from individual the participants’ skills utilizing computers to examine and money laundering activities money laundering investigations. q street crimes, such as purse snatching and mailbox

16 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 17 Coursetrai Schedule ning CYBER CRIME COURSES CYBERCOP 301 - (NTx) Windows NT® Operating CYBER-INVESTIGATION 201 - (BOTS) Basic Online FIPS (Financial Investigations Practical Skills) Systems and the NT File System Technical Skills CYBERCOP 101 - (BDRA) Basic Data Recovery and Date Location Acquisition Date Location Date Location September 24 - 28, 2007 Myrtle Beach, SC September 10 - 14, 2007 Menomonie, WI To be determined To be determined Date Location October 15 - 19, 2007 Klamath Falls, OR November 5 - 9, 2007 Fairmont, WV September 17 - 20, 2007 Fairmont, WV November 5 - 9, 2007 Hutchinson, KS September 17 - 20, 2007 Tampa, FL December 10 - 15, 2007 Myrtle Beach, SC September 25 - 28, 2007 Phoenix, AZ April 14 - 18, 2008 Springfield, MO ECONOMIC CRIME COURSES

January 14 - 17, 2008 Nashville, IN FREA (Financial Records Examination and Analysis) January 22 - 25, 2008 Honolulu, HI CYBERCOP 302 - (INET) Windows® Internet Trace ACIAPT (Advanced Criminal Intelligence Analysis to Date Location March 31 - April 3, 2008 Burlington, KY Evidence Prevent Terrorism ) October 22 - 26, 2007 Des Moines, IA April 21 - 24, 2008 Vassalboro, ME Date Location Date Location December 3 - 7, 2007 Baltimore, MD CYBERCOP 102 - (AFT) Introduction to Automated December 3 - 6, 2007 Fairmont, WV October 15 - 19, 2007 Totowa, NJ Forensics Tools February 11 - 14, 2008 Birmingham, AL Date Location Analyst’s Notebook® 6 by i2, Inc. IDTI (ID Theft Investigations Training) To be determined To be determined CYBER-INVESTIGATION 100 - (ISEE) Identifying and Date Location Date Location CYBERCOP 201 - (IDRA) Intermediate Data Recovery Seizing Electronic Evidence September 17 - 21, 2007 San Diego, CA October 31 - November 2, 2007 Lincoln, NE and Analysis Date Location October 1 - 5, 2007 Dacula, GA Date Location September 7, 2007 Nashville, IN November 5 - 9, 2007 San Antonio, TX September 24 - 28, 2007 New York, NY November 29, 2007 Kansas City, MO WCCAT (White Collar Crime and Terrorism) October 15 - 19, 2007 Fairmont, WV Date Location FCAS (Financial Crimes Against Seniors) October 22 - 26, 2007 Phoenix, AZ September 5 - 9, 2007 Garland, TX CYBER-INVESTIGATION 101 - (STOP) Secure Date Location November 5 - 9, 2007 Little Rock, AR Techniques for Onsite Preview September 17 - 19, 2007 Helena, MT December 10 - 14, 2007 Albuquerque, NM Date Location October 10 - 12, 2007 Dacula, GA CYBERCOP 202 - (ILook) ILook® Automated Forensic September 17 - 18, 2007 Lawton, OK Application December 3 - 5, 2007 Vancouver, WA September 19 - 20, 2007 Lawton, OK For more information visit the training section of Date Location September 26 -27, 2007 , IL the NW3C Web site at www.nw3c.org or call toll free at (877) 628 - 7674. September 10 - 14, 2007 New York, NY October 1 - 2, 2007 Baton Rouge, LA FIAT (Foundations of Intelligence Analysis Training) September 24 - 28, 2007 Springfield, IL October 3 - 4, 2007 Baton Rouge, LA Date Location For Cyber Crime Courses: October 15 - 19, 2007 Weyers Cave, VA October 24 - 25, 2007 Washington, DC September 10 - 14, 2007 Fairmont, WV Damita Jones - Ext. 214, or Tammy Deavers, Ext. 234 CYBERCOP 203 - (E-MAIL) Windows® Client November 27 - 28, 2007 Kansas City, MO October 1 - 5, 2007 New York, NY For Economic Crime Courses: E-mail Data Structures January 16 - 17, 2008 Honolulu, HI November 5 - 9, 2007 Jackson, MS Rose Dunigan - Ext. 267 Date Location January 28 - 29, 2008 Cleburne, TX November 26 - 30, 2007 Fairmont, WV Catherine Hammond - Ext. 268 To be determined To be determined January 30 - 31, 2008 Cleburne, TX December 10 - 14, 2007 Phoenix, AZ

18 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 19 What Students Say About the Identity Theft Marvin Johnson, Supervising Patrol Officer for the Dallas Police Investigations Course Department, also attended the Identity Theft Investigations course held in Dallas. Kenneth Haben, Sergeant, Dallas Police Department, attended a NW3C’s Identity Theft Investigations recent Identity Theft Investigations course, held in Dallas, Texas. Johnson explains his reasons for taking During a phone interview, Haben went on to explain his experi- the course, “I attended the course ence in the course. to learn more about identity theft Training Course and what procedures to follow when “It was a NW3C course, so I knew that it would be exceptional first arriving on the scene. This is inside and out. Their courses are always extremely informational something I also want to relay to By Loreal Bond, NW3C Communications Assistant and useful, always top notch,” said my troops on the streets so they Haben. know what to do when the situa- tion arises.” tealing personal information is increasingly becoming The course also promotes multi-agency and private-sector collabora- Haben described his expectations for the crime of choice for criminals to get fast money. tion, especially between law enforcement, financial institutions and the course and its instructors as “ex- The Identity Theft Investigations course Marvin Johnson As criminals discover new ways to access personal credit card companies. Neier states that police officers sometimes tremely high and knowledgeable.” He is taught in various cities across the Sergeant, Dallas Police Department information, law enforcement members continue take complaints from citizens about identity theft but don’t know was very pleased at the conclusion country. Check the Training Schedule, to evolveS their resources and methods of investigations against what to do next. The course teaches its participants how to work of the class, that his expectations had on page 18, for upcoming classes identity theft. with and use the resources offered by other agencies. been met and exceeded. in your area. NW3C is doing its part to keep law enforcement and inves- NW3C instructor Jamie Sharp recently taught “The scenario was perfect. It allowed To find out more information about the Identity Theft Investigations tigators up-to-date with the latest methods and skills used to the Identity Theft Investigations course in us to follow along as the case pro- course and other training classes offered by NW3C, visit our Web site at investigate identity theft. Students in the Identity Theft Investiga- Vancouver, WA in June 2007. She explains gressed and encouraged interaction www.nw3c.org or contact Tammy Deavers, Cyber Crimes Program tions course learn to recognize identity theft indicators and the that students should understand that “identity Kenneth Haben Sergeant, Dallas Police from students and the instructors,” Coordinator, at 877-628-7674, ext. 234. q potential nexus to terrorism and larger-scale criminal activity. theft can be found in all types of crimes, Department said Haben. The course also promotes the collaboration of multi-agency from robberies to computer hacking to larger and private-sectors and teaches the best practices that lead to criminal enterprises.” Sharp stresses that in In a major city like Dallas, TX, identity theft is not uncom- successful prosecutions. order to address the problem of identity theft, mon. Haben attributes the major struggles of investigating law enforcement needs to utilize all available identity theft to lack of resources within police departments. The three day Identity Theft Investigations course is taught by remedies; including theft, forgery, , Jamie Sharp The Dallas Police Department recognizes this rapidly growing NW3C instructors in cities throughout the country. The course is money laundering, and racketeering laws. NW3C Training issue and suggests that all Detectives participate in Identity Theft designed for members of law enforcement and investigators who Instructor deal with identity theft cases, teaching various skills of investiga- The course encourages the collaboration be- Investigations Training. tion through interactive case scenarios. The course was created tween agencies, identifying other resources, public and private, for first responders but is also useful for experienced detectives and other agencies available to investigators with whom law “The course is great training for detectives and first responders and investigators who work with identity theft cases. enforcement can work. This cooperative effort and teamwork to the scene.” commented Haben, “Especially in small towns, helps to avoid duplication of effort from different agencies. first responders sometimes have to step in and handle these Identity Theft Investigations Class Photo, Notre Dame, Indiana July 9 - 11, 2007 NW3C Instructors Explain the “Bigger Picture” of types of cases.” Identity Theft “Many investigators attending the course leave hav- ing made ‘real time’ connections with other investigators or Darryl Neier, NW3C Adjunct Instructor, taught the course in Dal- prosecutors they will work with in the future,” said Sharp. las, Texas in March 2007. He explained why the Identity Theft Investigations course is important to law enforcement. Lieutenant Steven Siegel, Union County Prosecutor’s Office (NJ), recently began teaching the Identity Theft Investigations course. ”The course shows investigators where to look for evidence and In addition to serving as detective, Siegel has been an instruc- what to do with it; these are the essential elements to a suc- tor for law enforcement for 15 years. “Identity theft is one of cessful investigation,” said Neier. the most pervasive crimes facing law enforcement today,” states Neier has been an instructor for NW3C for over 10 years, teach- Siegel. ing various courses including, FIPS, FREA, Disaster Recovery and Siegel suggests that an obstacle in investigating this crime is the Terrorism Financing. Neier explains that when teaching the Identity volume of cases combined with the fact that they often cross state Theft Investigations course, he wants students to understand the lines, requiring the involvement of several law enforcement agencies “bigger picture” about identity theft and how it can be connected working on each investigation. Although multi-agency collaboration to larger more complex criminal organizations. is absolutely necessary, it can be difficult to coordinate investigations Neier stresses to his students the difference between identity with agencies that don’t have the same resources or who may have theft and identity fraud. Identity theft refers to the stealing of different procedures for investigating identity theft cases. personal information, such as a name, birth date, social security number or biographical information. Identity fraud refers to using “This type of crime will continue to evolve as criminals find different someone’s personal information, without authorization, to create methods of stealing identities and different ways of utilizing them. fraudulent accounts or conduct other illegal activities. Law enforcement must also be dynamic and evolve, adapt and overcome these obstacles if we are to be effective,” said Siegel.

20 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 21 “We can go to all banks and ask for records related to x, y, and z “It ranges from stealing a credit card to full blown impersonation,” and banks have to respond.” Haché says.

West says this tactic speeds up the evidence gathering process. Identity fraud’s repercussions are severe. Although banks do not He says it helps identify the criminal so that his or her assets are necessarily require that you pay-in-full the tab amassed by a fraud- frozen and sold so that some money can be returned to victims. ster, it may take years to re-establish a good credit rating.

“It’s not always 100 per cent of what they lost but at least it’s He says that those who commit identity fraud take advantage of something.” the generally trusting nature of people.

EMPTOR and COLT include local authorities and federal organiza- “People don’t get conned because they’re stupid. Fraudsters know tions as well as U.S. authorities, so that files can be referred to the the mechanics of the human mind. They’re masters of social en- By Joanna Burgess, Acting Editor U.S. where most victims reside. gineering.” Pony Express, Royal Canadian Mounted Police “Because of the different partners, we can harness their differ- The four pieces of information criminals most want are a birth ent talents and skills, so it’s easier to get information,” said West, certificate or date of birth information, a social insurance or social “While bad guys use borders as a shield, we respond by establish- security number, a passport and a driver’s licence. “With those here is no such thing as a victimless crime, yet for some Fraudsters also repeatedly call their victims, who begin to trust their ing close partnerships.” four, or the information to build these documents, they’ve hit the reason, commercial or financial crime is sometimes swindlers. “These fraudsters are the smoothest talkers around,” mother lode.” awarded this title. Talk to any officer in the Royal Cana- Smith says. Their victims are often lonely and disconnected from It is imperative that officers across the force share and report case dian Mounted Police’s (RCMP) commercial crime sections family and end up developing a relationship with whoever keeps information. Fraudsters are often linked to various types of crimes. Haché says a key preventative measure is to only carry your driv- Tacross the country and they’ll tell you about the human cost of calling. Every detachment plays a role and must encourage victims to re- er’s licence and the cards you absolutely need — keep the rest in financial crime, particularly when it comes to fraud. port cases. a secure location. Money Matters “Everyone has a mother, father or grandparent, so how would you People with bad credit are another vulnerable target. Fraudsters Victims tend to send money by mail or wire transfers, so EMPTOR To date, legislation addresses the more common offenses of credit feel if your loved one was being taken advantage of?” asks Ser- use telemarketing and print ads to lure victims into signing up and COLT also work with Canada Post, Canadian Border Services card theft or forgery and the use of credit card information by geant Jo Ann Smith, head of Project COLT in Montreal. COLT is an for guaranteed credit cards or interest-free loans. Victims provide Agency and wiring organizations to train employees what to look someone other than the card holder, as well as impersonation RCMP-led joint forces operation that investigates fraudulent tele- account information to pay an upfront fee, usually between $200 for and when to contact the RCMP. with intent of personal gain — a less common offense. marketing organizations. and $300. They also work with authorities and organizations to raise public The full spectrum of identity fraud is not covered by law, so it is in- Smooth Operators Smith says these scams work on volume — the amount scammed awareness through education programs. West and Smith say that cumbent upon society to look after itself until the law catches up. Telemarketing is one method of mass marketing fraud — the most is lower but the number of victims is higher. She says the last case education is the number one way to prevent fraud, and officers prevalent form of fraud in Canada. Mass marketing fraud involves COLT dealt with had over 20,000 victims who lost a combined need to share their knowledge with their communities. The public must always be wary when any person, organization any operation that solicits money from numerous victims promis- $15 million. or Web site is asking for personal information. “Be street smart,” ing them something in return, such as a prize or credit card. Identity Crisis Haché says. “Validate who you’re talking to.” q According to statistics from Phonebusters, the Canadian Anti-Fraud Lack of knowledge is also an issue when it comes to identity theft, “Lottery scams are something that really touches us as investiga- Call Centre, the total value of loss reported as of October 2005 for a growing problem in Canada, according to Sergeant Michel Ha- tors,” Smith says. “People lose their life savings.” prize-pitch scams was more than $40 million. ché, in charge of the RCMP’s Payment Card & Identity Fraud Unit. Tips to Avoid Identity Fraud Lottery and other prize-pitch scams tend to target the elderly. In Technology is the greatest challenge in locating fraudulent tele- Haché says identity theft should actually be referred to as identity 1. Don’t leave your birth certificate or SIN/SSN Canada, people committing lottery fraud most often strike those marketing organizations. Historically, these scams were run out of fraud because theft can mean different things to different people. card in your wallet. living beyond our borders, particularly in the United States and rented spaces called boiler rooms from which employees called With the exception of credit and debit card data, personal informa- United Kingdom. Victims are sent coupons to fill out, asking for an potential or actual victims. tion is not considered property under the law and it is not illegal to 2. Shred documents with your personal information. entry fee and/or personal information in order to enter a Canadian be in possession of someone else’s personal information. It is only 3. Protect your pin number when using your bank card. lottery. “The reality now is that you can get a pay-as-you-go phone where illegal to use another person’s information for personal gain. 4. Check your credit card reports annually. there’s virtually no records of who you are and walking down a 5. Pay attention to your billing cycle- if bills stop “Once fraudsters receive the returned coupon or twenty dollars to street in Montreal can be your boiler room,” Smith says. The RCMP is publishing a student guide that covers all aspects of participate, they know that they have a live one on the line,” Smith identity fraud. It was written by a student for students, but is useful coming chances are someone has rerouted them. says. “These victims don’t even realize it’s illegal for them to play Scam Busting to all Canadians. 6. Don’t leave mail unattended and use a locked a foreign lottery.” Smith says police need to be innovative, but also rely on good mailbox. old fashioned police work when catching fraudsters. “They don’t “I gave a draft version of the guide to a Phonebusters staff mem- 7. Keep your computer protected- use firewalls, Weeks later, a person that did respond is called and told they’ve respect any rules.” She says surveillance, wire taps and undercover ber and even he said he learned something,” Haché says. won, but in order to release the money, they must send thousands work may all be used in investigations. good passwords, anti-spam, anti-virus and of dollars to pay customs, duties and any other tax the fraudster British Columbia has provincial legislation that is used to investi- Protect Yourself anti-spyware programs. can think of. gate. “The standard of proof is lower so we can gain a civil order Criminals commit identity fraud for financial gain, to hide from 8. Have an up-to-date operating system. where we don’t have to marry fraud activity to one bank,” says the authorities, as vengeance or any combination thereof. They 9. Ensure your wireless system is properly secured. “Because we’re dealing with seniors, and I’m not saying all of them Sergeant Gerard West, head of Project EMPTOR, E Division’s ver- use someone else’s personal information to open accounts, attain are like this, but some just don’t remember that they already sent sion of COLT. loans or mortgages or to evade punishment for past crimes. 10. Wipe personal information from your computer. money, so they send money several times,” Smith says.

22 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 23 A Team Approach to Combating Identity Theft By Charles L. Cohen, Lieutenant, Indiana State Police

he Indiana State Police (ISP), like departments throughout the country, is inundated with iden- tity theft investigations. Each year brings an exponentially greater number of victims looking T for service, guidance and most importantly justice. Crimes involving identity theft are particu- larly insidious, in part, because they act at a facilitator and gateway to other criminality. Through It is estimated that 10 million Americans are affected by the exploitation of stolen identities, criminals are able finance the purchase of methamphetamine identity theft each year1. The Law Enforcement Community and other illegal drugs. is using collaborative efforts to fight against this rapidly critical step in most money laundering activities is the as- Such strategic alliances are different than the task force concept growing crime. sumption of others’ identities, ISP Superintendent Paul E. that gained popularity during the 1990’s. In the model developed AWhitesell, Ph.D. said, in Indiana, state investigators work in partnership with the United States Attorney’s Office, forming ad hoc functional teams with vari- Expanding across international borders, identity theft is “Our agency, like most, has seen a significant in- ous local and federal investigative agencies based on the needs of crease in identity theft cases and has responded by a specific investigation. a major problem that effects people around the world. dedicating more personnel and resources to these Increasingly, local, state, federal and international law types of investigations. Working collaboratively with This paradigm produces results that could not be achieved by any other criminal justice agencies is essential to ade- individual agency unilaterally. The investigative needs determine enforcement agencies are working together to share training quately deal with this ever growing problem.” the resources that are brought to bear, in contrast to a task force and resources in order to successfully fight these elusive that directs specific resources at a class of criminality. The Indiana State Police engage in identity thieves. identity theft investigations that fall The team concept used in Indi- into two broad categories. The first ana grew from an identity theft 1. Federal Trade Commission, Identity Theft Survey Report, September 2003, http://www.ftc.gov/bcp/edu/microsites/idtheft/downloads/synovate_report.pdf category involves persons known to investigation in which a feder- the victim. These crimes are often ally convicted identity thief used perpetrated by relatives, acquain- the identity of a prior victim to tences and associates of the victim. obtain a position of trust in State Such crimes are relatively isolated government. This criminal was and easily investigated. The victims able to use the stolen identity as often experience additional trauma a gateway to become the Chief when the investigation shows that Benefits Officer for the Public an individual in which the victim Employees Retirement Fund of placed trust violated that confidence; Indiana. In order to effectively but each violator victimizes a limited respond, it was necessary to number of individuals. The second form investigative partnerships category of identity theft involves a coordinated effort by skilled of- among state and federal law enforcement agencies and prosecu- fenders, victimizing a large number of individuals, often covering a tors. These partnerships resulted in a successful investigation and large geographic area and crossing jurisdictional boundaries. Such prosecution, the provision of services to victims, and ultimately a coordinated offense requires a coordinated response by law en- lead to the discovery of other, unrelated skilled offenders operating forcement agencies with bailiwick over the impacted venues. inside the same entity. Since this success, the ISP has worked to build on, and cement such alliances with great success. In order to effectively address this second category, it is neces- sary for investigative, victim services and prosecutorial agencies to Susan Brooks, United States Attorney for the Southern District cultivate strategic alliances before the need for a tactical response. of Indiana, recognizes the impact that such collaborations have

www.nw3c.org 25 on successful identity theft investigations, commenting, “There is Because there was an established level of comfort among the possibly no greater financial victimization that a person can en- investigators actually involved in this case, it was possible to maxi- The Changing Complexities of dure than having one’s own identity stolen. Victims must work mize the strengths of each involved agency. for months or years, and spend a significant amount of money in Identity Theft Investigations order to recover from this class of crime. It is through a team ef- In the era of global economy and global criminality, it is only fort, among investigative, prosecutorial and service agencies from through the establishment and nurture of such relationships that Over 10 Years all levels of government that these victims are best served.” agencies, of any size, can effectively serve the public. q

One needs to look no further to see the benefits of building such About the Author inter-agency relations than an ongoing identity theft investigation. Chuck Cohen’s formal education includes a Masters in Business Ad- In this case, a skilled offender stole identifying information from ministration from Indiana Wesleyan University, and an undergradu- By Chris Nelson, Senior Investigator, Jefferson County Sheriff’s Office (CO) tens-of-thousands of victims by intruding into a computer system. ate degree from Indiana University with a double major in Criminal Justice and Psychology. He is a First Sergeant serving the Indiana ou can’t turn on a TV, radio or open a publication without street corners. They return later in the day to pick it up. When State Police, where he has been employed for twelve years. He is Because investigators from ISP have an existing relationship of hearing something about identity theft. We have heard was the last time you used one of these “traveling” mailboxes? currently cross-designated as a Special Deputy United States Mar- all of the warning signs. Never give out your personal Did you even look at the white placard on the outside to verify trust and understanding built through prior collaborative partner- shal, assigned to conduct federal and state political corruption and information. Shred everything. Don’t use your home the mailbox belonged at that location? Did you verify that it organized economic crime investigations. In the past, he has been Ymailbox to send outgoing bills. You may even be thinking that was even affixed to the ground while reaching out your car ships, it was easy to establish an interagency and multidisciplinary investigative team. This functional team was able to quickly form assigned to various specialized investigative and enforcement as- the Internet is a cause of identity theft. The truth is that ¾ of window to mail that bill? The crooks are counting on you to signments. reported identity theft cases occur offline and have nothing to believe that it belongs there! and execute a coherent investigative plan. Had there not been do with the Internet. So, why does identity theft continue to existing relationships on which to draw, precious time would have be the fastest growing crime? People ranging from everyday You write a check at a gas station and hand it to the clerk in citizens to the rich and famous continue to think, “It can’t the booth. Later when business is slow, the clerk takes out been lost and time-sensitive evidence would have disappeared. happen to me.” all of the checks and begins taking pictures of the account numbers, the routing numbers and your name and address If you think that identity theft can’t happen to you, ask yourself with a camera phone. They then sell the information to pay these few simple questions: off a drug debt.

1. Have you used your credit card in the Do you use carbonless checks? Do your under last 24 hours? copies have your account number and routing 2. Have you used a large public blue mail number on them? Why? How many times does box to mail an important document? that stubborn under copy become dislodged and fall out? Who has your information now? You 3. Have you written a check recently and did do not need that info printed on anything other you use a ball point pen to write it? than your original check.

If you answered yes to any of these questions, then you are Did you use a ball point pen to write your last check? Ball susceptible to being a victim of identity theft. point pen ink does not absorb into the paper which allows the suspects to “wash off” the ink. By using nail polish remover You just ate a nice meal at your favorite restaurant. You pay on a cotton ball, it is easy to wash the ink directly off of the for the meal with your credit card and you leave the merchant check and write in a new piece of information and to then copy at the table in the nice leather binder. Have you ever cash it. Consider using a roller ball or uniball type of pen to really looked at the information contained on that merchant write your checks. copy? You may even have the false sense of security that all but the last four numbers are covered with an “X” (Truncated). It can happen to you! Maybe you are wondering right now if Many states do not require the merchant copy to cross out the it has. Identity theft is the stealth crime of the new millennium. numbers. Usually the customer copy, the one you take with Apprehension is difficult. The suspects know this. Protect your you, is the only copy with the numbers crossed out. Why you identity and be aware that anytime you leave a receipt or a ask? The law was created to protect people who leave their check or send out your personal information, it can happen ATM receipts at an ATM. Did you sign the merchant copy? to you. q Now you have left your original signature behind. Is there an expiration date visible? Worried yet? I’m the suspect and I About the Author am sitting at a nearby table and I wait for you to leave. I grab the receipt off of the table and I now have all of your personal Certified Fraud Specialist Christopher Nelson, an investigator for the information. The suspect could be anyone and the chance Jefferson County Sheriff’s Office (CO), has worked in law -enforce of solving this case is rare but your identity has been stolen ment since 1989. He is currently a senior investigator in the Complex and you are out hundreds of dollars. Crimes Unit. He has lectured extensively on identity theft throughout the United States and has been featured on PBS and Denver televi- A 19-year-old suspect steals the large blue postal box from a sion news programs for his knowledge on identity theft. The Denver street corner and takes it home to dump out all of the mail Post and The Canyon Courier have called him an expert on financial hoping to find your identity. In another similar case, the suspects crimes and identity theft, working “to help fight the nation’s fastest steal the mail box and drive around town placing it on various growing crime.”

26 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 27 those institutions are in turn Prior to the implementation of this packet, the following oc- required by law to provide the curred when an identity theft report was completed by our victims with the information department: (1) when the initial police report was completed, that they are requesting. The if the identity theft victim and/or the original investigating officer victims can now provide us did not know the process for restoring the victim’s identity and Five Keys to Preventing with that information. credit, the victim was unable to take the proper steps to begin * that process and had to wait until a detective contacted them, Identity Theft In order to improve its external cus- (2) once the identity theft report was assigned to a detective, tomer service, members of the PPD’s the detective had to contact the victim to explain the steps Documents Crimes Detail developed that needed to be taken in order to restore their identity and a comprehensive identity theft victim’s credit, (3) the detective had to then take the time to explain 1. Review your credit report annually. packet to assist its community members to the victim which documents were needed in order to be- • www.annualcreditreport.com in restoring their personal identity/credit gin an investigation into the incident(s) in question and (4) • Report any unauthorized accounts to and/or facilitate the investigation of the detective had to wait until the victim could provide the law enforcement their identity theft cases. This packet document(s) needed to begin investigating a case, write sub- provides the following information: poenas to obtain the information needed for the case or close the case altogether if the victim did not desire prosecution. 2. Promptly remove mail from your mailbox • A page of general informa- • Identity thieves steal both incoming tion and instructions on how By providing an identity theft victim with our new packet, via and outgoing mail a person can fix their iden- any of the three delivery techniques, the PPD has eliminated tity and credit and assist us steps one, two, and three of its investigative process and in prosecuting their case reduced the wait time for step four. Furthermore, the PPD 3. Pay attention to financial account statement has increased its investigative efficiency, improved its external billing cycles • Two pages on the step by customer service and reduced victimization. • A missing statement may be an step process a person needs indication that your account address to take to fix their identity and Our identity theft victim’s packet was introduced in Decem- credit. These pages include ber 2006. Since its introduction, our detectives have seen has been changed he City of Phoenix, like many other cities around our information on government, a dramatic decrease in the amount of time spent explaining country, has seen a dramatic rise in identity theft cases consumer and credit bureau Web sites that a victim the identity theft process to crime victims and they have sig- 4. Shred all financial documents when you are during the past five years. In 2001, the Phoenix Police needs to begin the process of fixing their stolen nificantly reduced the number of subpoenas they’ve hadto through with them Department (PPD) received 595 reports of identity theft. identity and credit direct to financial institutions. That time has been redirected TBy 2005, that number had grown to 2,014. That exponential • Especially pre-approved credit card to other investigative processes. Additionally, identity theft growth in identity theft reports has resulted in a dramatic increase • Four pages containing an identity theft affidavit and victims have been able to reduce the amount of time offers in the amount of time detectives are spending to assist members 12 questions that provide investigative personnel a that it takes to restore their identity/credit. • Any document containing any of your of the community in restoring their identity and credit. general overview as to what occurred personal identifiers This packet and process has been shared with other Additionally, many identity theft victims are only interested in • A fraudulent account statement page local agencies in Arizona who have adopted the iden- restoring their personal identity and credit and are not interested tity theft victim’s packet as a best practice. Any law 5. Never give out your identifiers unless you • A sample dispute letter for new accounts opened in prosecuting the person(s) who committed the crime(s) against enforcement agency wanting further information on this initiate contact by the identity thief them. However, all three major credit bureaus (Equifax, Tran- packet can contact Lieutenant Giles Tipsword at giles.tipsword@ • Attempts are usually done via the sUnion and Experian) require a police report in order to start the • A sample dispute letter for existing accounts that phoenix.gov. q phone or Internet process to fix a person’s credit that was damaged as a result of may have been impacted by the identity thief identity theft, fraud, etc. About the Author • Identifiers include account numbers, PINs, DOB, SSN, etc. • Two pages containing information on the Fair and Lt. Giles Tipsword is the unit commander for the Phoenix Police Most identity theft victims are unaware of the steps that need Accurate Credit Transactions Act of 2003 (FACTA Department’s Technical Investigations Unit which is responsible to be taken in order to restore their identity and credit. Due law). The act allows victims to request information for all of the Document Crimes and Auto Theft investigations for to lack of awareness, our detectives were spending hundreds of from creditors and provide that information to our its department. For more tips on how to protect yourself hours each year explaining those steps required by major credit detectives bureaus, to identity theft victims. As a result of the extra hours from identity theft, visit spent explaining this process to each victim, as well as the time This packet is provided to identity theft victims in one of three www.richmondidtheft.com needed to explain to each victim which documents we need to ways: begin the investigation of their case, our detectives were losing To download a copy of the Identity Theft Victim Packet, valuable time needed to investigate their on-going cases. 1. by the officer who takes the original report visit http://phoenix.gov/POLICE/idtheft_packet.pdf.

Furthermore, our detectives were spending hundreds of additional 2. by downloading a copy from the PPD’s public Web site * Provided by the Metro Richmond Identity Theft Task Force. hours each year writing and serving subpoenas to creditors and financial institutions to obtain the paperwork and information 3. by requesting a packet by mail, if the victim necessary to investigate identity theft cases. With the passage of the was not given, or could not download it Fair and Accurate Credit Transactions Act (FACTA), victims can simply request that information from their creditors/financial institutions; and

28 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 29 lists the task force’s Web site. “Our Web site is a great resource for Both McGinnis and Kleinberg comment that the most common the public, where they can find out information about protecting types of identity theft they encounter, when working with their their identity and what to do if you have had your identity stolen,” task forces, are done by “old fashioned” methods. Most of their said McGinnis. reported cases of identity theft involve the stealing of personal information by an associate or someone who has access to the victim’s personal information or the stealing of someone’s mail.

Those who believe they may be victims of identity theft can pro- tect their personal information and finances by requesting a “fraud alert” on their credit report, working with their banks to close ac- counts, filing a police report and using the online resources, such Both the Richmond and Roanoke task force Web sites allow vic- as the Federal Trade Commission’s Web site (www.ftc.gov) or the tims of identity theft within the area to file complaints, involving Richmond Task Force’s Web site (www.richmondidtheft.com)to file mail fraud, with the local USPIS office. Citizens can also report complaints. scams they’ve encountered and learn about current scams that are being used to steal personal information. As identity theft investigators, McGinnis and Kleinberg emphasize the cooperative efforts of law enforcement, agencies and private How do you fight a crime that has no boundaries crimes and identity theft in the area. The Roanoke task force also “The best way to inform and teach the public about identity theft organizations. While they suggest investigators should have some and doesn’t discriminate against its victims? emphasizes cooperation between agencies working with core par- is to get out there and talk with other agencies and businesses,” common knowledge in computer forensics to successfully investi- ticipating and private industry members. said Kleinberg. gate identity theft, both agree “nothing beats good old fashioned dentity theft is the fastest growing crime in the United States, police work, get out there!” costing Americans billions of dollars every year. The Federal Most recently the Metro Richmond Task Force’s “Operation Recon- Each task force holds a monthly meeting with local law enforce- I Trade Commission estimates that nine million Americans have cile” resulted in the arrest of 51 individuals involved in an identity ment, fraud committees and private businesses to discuss the ma- To find out more information about the Metro-Richmond Identity their identity stolen each year. theft ring. As of April 2007, 35 of those arrested have been con- jor issues they face regarding investigations of identity theft and Theft Task Force, visit www.richmondidtheft.com or the Roanoke victed; other cases are still pending. financial fraud crimes. Valley Financial Crimes Task Force, visit Establishing over 20 task forces across the country, the U.S. Postal www.roanaokefinancialcrimes.com. q Inspection Service (USPIS) is leading the fight against identity theft. Joe Kleinberg is the Task Force Leader of the Massachusetts Finan- With the growing number of identity theft complaints reported These task forces work cooperatively with local agencies, organiza- cial Crimes Task Force. For several years, the task force has been each year, finding time to investigate every case becomes a strug- tions, and private businesses to investigate and prosecute identity active in the investigation of financial crimes and identity theft. gle for these task forces. McGinnis and Kleinberg agree that the Contact the Local theft and financial crimes. Working with federal agencies lack of resources, especially on the local law enforcement level, USPIS Task Force Division in Your Area and local law enforcement, the can also be hurdles in fighting this crime. One of the reasons for Postal Inspectors and Task Force task force is useful in cracking establishing these task forces was to address this problem. Serv- USPIS Leaders Dave McGinnis and Joe ing as liaisons between agencies and local law enforcement, task Task Force Task Force Leader/ Business down on identity fraud crimes. Division Co-Leader Number Kleinberg, talked with NW3C to forces attempt to fill the gap, allowing agencies to communicate Atlanta Atlanta Gina Harrell (404) 608-4568 discuss the important role that task One major responsibility of these and share their resources. forces play in the fight against iden- task forces is to educate the gen- Atlanta Birmingham Frank Dyer (205) 326-2907 Todd Villari (205) 326-2900 tity theft. eral public and financial institu- While these task forces work closely with other agencies and law Boston Boston Joe Kleinberg (617) 556-4428 tions about identity theft and enforcement to investigate identity theft, they also offer prevention “Task Forces give law enforcement, how to protect their personal in- tips for citizens and even resources for victims. Charlotte Memphis Jack Dietz (901) 576-2107 local authorities and citizens some- formation and businesses. Chicago Chicago Jeff Sack (312) 983-7975 where to go when faced with iden- According to Kleinberg, there are three major misconceptions Joe Pirone (312) 983-7883 tity theft,” commented Kleinberg. McGinnis and Kleinberg explain about identity theft among consumers: Chicago Springfield Basil Demczak (217) 788-7450 that their task forces coordinate Tyler Mower (217) 788-7452 “Cooperation is key when trying to victim oriented outreach pro- 1. Most identity theft victims are senior citizens. Denver Minneapolis Keith Hayden (651) 293-3236 fight a crime that spreads across grams for the public. Presen- Not true. Anyone can be a victim of identity theft. Denver Salt Lake City Joe Schouten (801) 974-2275 borders,” said McGinnis. tations can be requested for Fort Worth Oklahoma City Brian Burnett (405) 553-6524 financial institutions, local law 2. Using the Internet increases the chances of Los Angeles Los Angeles Tony Galetti (213) 830-2529 Dave McGinnis is the Task Force Dave McGinnis, Task Force Leader, Metro Richmond Identity Theft Task Force enforcement and credit card having your identity stolen. Los Angeles Phoenix Doug Hilburn (602) 223-3241 Leader for the Metro Richmond and Roanoke Valley Financial Crimes Task Force; and Joe Klienberg, Task companies. Both the Richmond Actually, using the Internet can minimize the chanc- Identity Theft Task Force and the New York New York Phil Bartlett (212) 330-3344 Force Leader, Massachusetts Financial Crimes Task Force. and Massachusetts task forces es of having your identity stolen. Using online re- recently established Roanoke Val- Philadelphia Philadelphia Keith Salter (215) 895-8406 give five to six presentations sources such as online banking, allows consumers ley Financial Crimes Task Force. Northern Kentucky Ron Verst (513) 684-8035 each month. Recently, the Massachusetts Task Force co-hosted a to check their accounts more often, noticing any The Richmond Task Force has been in existence since October Pittsburgh Pittsburgh Joseph Bell (412) 359-7797 fraud-awareness seminar for local financial institutions, health care discrepancies sooner. 2004, protecting citizens against identity theft related frauds and providers and law enforcement, where NW3C’s Training Instructor San Francisco Hawaii William T. Terry (808)423-3797 schemes. The task force works cooperatively with 16 core, partici- Jamie Sharp, was a guest speaker. 3. Consumers are helpless against identity theft. St. Louis St. Louis Denny Simpson (314) 539-9482 pating and private industry members, including local police depart- Consumers can minimize their chances of having Tom Kern (314) 539-9429 ments, the FBI and NW3C, to investigate and prosecute various In November 2006, the Richmond Task Force began running the their personal information stolen by following simple Washington Richmond Dave McGinnis (804) 418-6120 identity theft related crimes. ad campaign, “Think Before You Do IT” Identity Theft = 2 prevention tips such as reviewing your credit report Washington Roanoke Dave McGinnis (804) 418-6120

years in Federal Prison”, throughout the metro-Richmond area. each year. The Roanoke Valley Financial Crimes Task Force, created in March The campaign promotes consumer identity theft awareness and 2007, was created to address the growing problem of financial

30 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 31 national strategy for tackling fraud across all the agencies who • improve training provided to those in the financial sector seek to combat it. This will include establishing a mechanism responsible for checking customers’ identities for developing: The UK Seeks Solutions to • seek to increase successful prosecutions for identity fraud • accurate and regular measurement of the extent of fraud related crimes

Identity Fraud through Legislative • a national fraud reporting center to take crime reports The UK hopes the implementation of all these measures, those from victims and develop intelligence to tackle fraud and already introduced and those being worked on further, will have Improvements organized crime related to fraud a significant impact on fraud prevention, understanding the scale of the problem and its impact upon the UK, and lead to more By Kevin McNulty, Head of the Identity Fraud Reduction Team, Identity and Passport Service • proposals for the establishment of a national lead force, effective and successful investigations and prosecutions. which will aim to complement existing police force ca- pacity and provide a center of excellence for complex The Identity Reduction Team leads on the development of gov- The United Kingdom (UK) is in the process of undertaking significant changes to its and serious cases ernment policy and practice concerning the reduction of identity legislation, policy and organizational structures to seek to impact upon identity fraud. fraud. It seeks to ensure close working relationships with a range A detailed program of work is now being established to take of internal and external stakeholders to further projects to reduce the Review’s work plan to the next stage. identity fraud and gain a better understanding of the issue. It Fraud Offenses to reduce financial crime, money laundering and fraud. One sig- is also responsible for the provision of advice to Home Office ne of the most significant elements of this change is nificant barrier to this sharing of data identified with public sector National Identity Scheme Ministers and senior officials on identity fraud policy. the Fraud Act of 2006. The Act, which came into force bodies was that their underlying powers set, or are perceived to The UK has also embarked upon on January 15, 2007, replaced a complicated array of set, unnecessary limits on data sharing within the public sector the introduction of a National The Identity and Passport Service was pre-existing over-specific and overlapping deception and beyond. Identity Scheme for its citizens. “Pilot exercises in the identity established as an executive agency Ooffenses. These offenses had proved inadequate to tackle the The National Identity Scheme is of the Home Office in the United fraud arena in the UK have regularly wide range of possible fraudulent activity today, or keep pace The Serious Crime Bill, which is currently close to concluding designed to be an easy-to-use and Kingdom on April 1, 2006. The with rapidly developing technology. its passage through the UK legislative process, seeks to address secure system of personal identi- demonstrated striking examples Agency builds on the strong foun- the issue of government agencies sharing information for crime fication for adults living in the UK. dations of the UK Passport Service In their place, the Fraud Act established a new general offense prevention purposes. Specifically, the bill would provide the pow- Its cornerstone is the introduction of what can be done when public (UKPS) to provide services and in of fraud which can be committed in three ways: ers for public authorities to disclose information to an anti-fraud of national identification cards for and private sector data is shared, the future, as a part of the National organization for the purpose of preventing fraud. This provision all UK residents over the age of Identity Scheme, ID cards for British • by false representation would allow for the exchange of data to combat fraud between 16. Each ID card will be unique with particular potential to reduce and Irish national residents in the the public and private sector, and also between different public and will combine the cardholder’s financial crime, money laundering United Kingdom. • by failing to disclose information sector organizations, to highlight potentially fraudulent applications biometric data with their checked for goods and services. and confirmed identity details, a and fraud.” The Home Office is the government • by abuse of position “biographical footprint”. Amongst department responsible for leading the A similar provision to allow for the greater exchange of data its benefits the Scheme will seek national effort to protect the public from It also established a number of other new specific offenses to between the public and private sectors to prevent fraud was to reduce identity fraud and to improve access for citizens to terrorism, crime and anti-social behaviour. To learn more about the assist in the fight against fraud. These include offenses of: also finalized in 2006. Provisions in the Police and Justice Act public services. According to the currently envisaged timetable, United Kingdom Home Office, isit v www.homeoffice.gov.uk. q of 2006, allow for death register information to be shared with biometric immigration documents will be issued to foreign na- • possessing articles for use in fraud law enforcement agencies, and other organizations (to be speci- tionals from 2008 and ID cards will be issued to British citizens About the Author fied) to prevent the identities of those who have passed away from 2009. • making or supplying articles for use in fraud from being used to commit fraud. It is hoped that the early Kevin McNulty has been a civil servant for 14 years and has worked release of death registration information to a wider range of Combating Identity Fraud with the Identity Reduction Team for the past 12 months. Amongst • obtaining services dishonestly public and private sector organizations, that currently receive such In 2003, the government established the Identity Fraud Steering previous roles, he has worked on policy on computer crime, online data, will assist in combating such frauds. The Registrars General, Committee (IFSC) to work with public and private sector organiza- child protection, money laundering and confiscation. The offense of fraud by false representation is expected to capture who are responsible for death register information in the UK, tions to identify and implement cost effective measures to counter the majority of new incidences of identity fraud. The offense is trig- are currently implementing their proposals for the operation of identity fraud, and ensure that resources are targeted to resolving gered where an individual dishonestly makes a false representation disclosure schemes. problems. A number of initiatives are in place to reduce identity Your Article Could be in the and intends, by making that representation, to make a gain for fraud and increase our understanding of the issue. These include Next Informant! himself or another, or to cause loss to another (or expose another Fraud Review work to: to a risk of loss). This provision, like the others in the Act, aims to These legislative changes are aimed to impact the prevention of We welcome articles on any white collar crime subject. provide simple, comprehensive and flexible offenses to meet the identity fraud before it can occur, as well as aiding the investiga- • improve public awareness of identity fraud through Visit www.nw3c.org for deadlines and author needs of investigators and prosecutors, and to effectively combat tion and prosecution of successful attempts. www.identitytheft.org.uk and other means the increasing use of developing technology including, electronic guidelines. means of transfer in the commission of fraud offenses. Outside of this, the government is undertaking a comprehensive • identify new opportunities for sharing fraud data across and holistic review of fraud and anti-fraud efforts. The Fraud the public and private sectors Share your professional knowledge and experience Data Sharing Review has sought to propose ways to reduce fraud and the with Informant readers. Have your white collar crime Pilot exercises in the identity fraud arena in the UK have regu- harm it does to the economy and society. A priority of this work • establish the extent and cost of identity fraud to the UK article published in the Informant. larly demonstrated striking examples of what can be done when will be to establish a national fraud strategic authority, which economy public and private sector data is shared, with particular potential will be the forum for public and private sectors to develop a Questions? Contact Loreal Bond at [email protected].

32 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 33 A similar situation was found in Germany where identity theft was References not considered a significant issue by some; a greater focus was The Fight Against Identity Fraud: placed on Internet fraud. Nevertheless, an identity card scheme 1. Gordon, G.R., & Willox, N.A., (2003), Identity Fraud: A Critical was in place and improvements were made to passports to National and Global Threat, Economic Crime Institute. Addressing Issues in Europe, the United Kingdom, protect against identity fraud. The study found that as of March 2007, the chips in German passports would hold a digital frontal 2. Baltazar, I., & Fons, K., (2005), Assessing the Identity Chain: France, Germany and the Netherlands photo of the bearer and two fingerprints (one of each hand). The A Quality Working Document that Makes All the Difference, idea being that the photo and fingerprint would be compared Keesing Journal of Documents and Identity, Issue 10. against the holder of the passport at border control. 3. Figures Taken from CIFAS_ the UK’s Fraud Prevention Service The interviews revealed that the approach taken to address identity Web site: http://www.cifas.org/default.asp?edit id=556-56 offenses in the Netherlands was being improved. For example, By Gemma Keats, Katy Owen and Martin Gill the Dutch police were developing protocols to make it easier 4. Information taken from Unisys Global Financial Services to ascertain the true identity of immigrants and foreign nations. (2005) Unisys Web site: http://www.unisys.com/financial/ Perpetuity Research and Consultancy International Ltd. An expert group was also being set up by the police and the news_a_events/all_news/11118600.htm agency responsible for controlling borders to focus on identity theft related to immigration. Meanwhile, the Dutch government 5. Owen, K., Keats, G., & Gill, M., (2006), the Fight against was working towards improving the quality of identification docu- Identity Fraud: A Brief Study of the EU, the UK, France, dentity fraud and identity theft are not constrained by na- law. However, the Fraud Act of 2006 and Identity Cards Act of ments and the system used to generate them. A central reporting Germany, and the Netherlands,’ Perpetuity Research and tional boundaries; they are international risks which threaten 2006 will help to define identity theft and fraud. For Instance, the point for victims was also being developed. Consultancy International Ltd. the security of countries worldwide. Indeed as one study1 Identity Cards Act of 2006 created offenses relating to posses- states, identity fraud has become the “catalyst” for a range sion, control and intent to use false identity documents, including Finally a number of departments and forums within the Euro- About the Authors Iof financial crimes, drug trafficking and terrorism. Furthermore, genuine ones that relate to someone else. Meanwhile, the UK is pean Commission proposed a range of measures to improve concern over identity theft is increasing; according to one source, also improving its response to identity crimes through the con- the response to identity theft and fraud in the EU and member Martin Gill is Director of Perpetuity Research and Consultancy In- it is the fastest growing crime in the world.2 Figures collected by troversial introduction of identity cards to protect British citizens’ states. These include: ternational and a Professor of Crimi- CIFAS- the United Kingdom’s (UK) identities and the awareness nology at the University of Leicester. Fraud Prevention Service for ex- raising work of the Home • Under the EU Fraud Prevention Act He has published over 100 journal ample, show that reported cases Office Identity Fraud Steering Plan of 2004-2007, to consider setting and magazine articles and 11 books of identity and impersonation “Identity fraud and identity Committee. up an electronic database of original including Commercial Robbery, CCTV, fraud have risen from 16,000 and counterfeit identity documents and Managing Security. He is co-editor incidents in 2000 to 80,000 theft are not constrained by The study also revealed that for law enforcement agencies and of the Security Journal and founding during 20063; whilst a global unlike the U.S., there was not private sector organizations to access editor of Risk Management: an Inter- telephone survey revealed that national boundaries; they a specific offense related to for information purposes. national Journal. three percent of consumers in identity theft or fraud in France, Germany had been victims of are international risks which Germany or the Netherlands. • Under the EU Fraud Prevention Katy joined PRCI in September 2003 identity theft.4 Instead, existing law provisions Act Plan of 2004-2007, to consider after receiving a distinction in her MSc threaten the security of for crimes such as forgery, un- setting up a single phone number in Criminology from the Department Individual countries take different lawful data collection and data in the EU for notification of lost or of Criminology at the University of approaches to tackling identity theft countries worldwide.” abuse, fraud or imposture were stolen cards. Leicester. and fraud. A study5 undertaken used to aid the prosecution of by Perpetuity Research provides identity offenses. One individual • The Law Enforcement Group- a sub Gemma joined PRCI in November 2004. a brief overview of how identity interviewed in the Netherlands group of the Fraud Prevention Expert She graduated from Lancaster University theft and fraud were being addressed in the European Union identified the limitations of using existing laws to address identity Group proposed setting up centralized with a BA (Hons) in English Language (EU), the UK, France, Germany and the Netherlands at a given crimes and highlighted the desire amongst some for a specific law enforcement units with opera- in 2002. Since then she has received point during 2006. This involved reviewing relevant documenta- law for identity theft and fraud. tional investigative means in all EU a distinction in her MA in Applied Re- tion and was supplemented by interviews with representatives member states to address non-cash search and Consultancy, also from the from some of the European countries. Interviews revealed that although identity theft was recognized as payment fraud and to improve the University of Lancaster. an issue in France, it was not perceived by some as being on the training for law enforcement officials The study found that there were measures in place within each same scale as in the UK. This was partly attributed to the existence to prevent and address economic of the countries to either directly or indirectly respond to iden- of identity cards, which made it more difficult to steal a person’s and financial crimes. q tity theft and fraud. These were a mixture of legislative and identity. Perhaps, as a consequence, there did not appear to be non-legislative measures delivered by law enforcement agencies, many measures in place in addition to the identity cards, to address This study was undertaken by Perpetuity Research and Consultancy public authorities and private sector organizations. Furthermore, identity fraud, nor was there much awareness raising of the issue. International Ltd. For more information about the work they are there was some evidence to suggest that these measures were Internet fraud was, however, seen as a problem and French banks involved in or for details of how to obtain a copy of this report being adjusted or added to in order to improve the response had invested money in Internet security, and had sought to improve (‘The Fight against Identity Fraud: A Brief Study of the EU, the UK, to identity crimes. the public’s awareness of the risks involved in on-line banking. Fur- France, Germany, and the Netherlands’) please refer to their Web site thermore, the government had undertaken a study of identity theft www.perpetuitygroup.com or ring +44 (0) 116 222 5555. In the UK, the police response to identity theft was limited, due in France benchmarking it against other countries; the findings of in part at least, to it not being a specific offense under criminal which may be used to guide planning on future response.

34 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 35 “Maintain a State motor vehicle database that contains, at tor General. (HHSC-OIG) He oversees all the enforcement activities I supervise the enforcement activities a minimum……all data fields printed on drivers’ licenses involving fraud, abuse & waste in the health and human services sys- and criminal investigations for the and identification cards issued by the State; and…..motor tems. He supervises a staff of over 300 employees in three enforce- largest state inspector general’s vehicle drivers’ histories, including motor vehicle violations, ment sections which include General Investigations (GI), Medicaid office in the country. My staff suspensions, and points on licenses.” Provider Integrity (MPI) and the State Investigations Unit (SIU). Mr. completes over 60,000 investigations Bevers began his career in law enforcement in 1995 working for per year. Roughly eight-percent Implementing this rule will require that digital drivers license the Dallas County District Attorney’s Office, where he was the Chief (8%) or approximately 5,000 of photographs and digital identification documents must be- ex Prosecutor in five different criminal courts; including prosecution in all those investigations are criminal changed with other states. This is another reason that a national 15 criminal district courts. He specialized in prosecuting felony white- felonies. Our criminal investiga- database must be created to allow states to run queries and collar criminal offenses. tions are sent to approximately exchange driver history and image information to new licensing 200 district attorneys’ offices in jurisdictions. Mr. Bevers received his B.A. Degree in Psychology from Southern Texas’ 254 counties. Methodist University in 1986, and his Juris Doctor degree (J.D.) from Finally, to understand The Real ID Act we must examine it in the the University of Tulsa in 1995. He is licensed to practice law in Texas The stakes are high and the cred- context of other similar technological developments and move- and is certified as a Certified Fraud Specialist (C.F.S.) by the Associa- ibility of every prosecutor who ments including; (1) the Sunrise Date, (2) the European Union’s tion of Certified Fraud Specialists, Certified Homeland Security, Level handles our cases is at issue when Galileo satellite system, (3) the major players who have legislated, III, (C.H.S-III) by the American College of Forensic Examiners Institute we send our investigations for financed, designed, implemented and currently control these de- and a Certified Inspector General (C.I.G.) by the Association of Inspec- prosecution. The counsel table velopments, (4) Radio Frequency Identification [RFID] applications, tors General. He has personally tried over 450 contested trials. is a very lonely place to be if (5) biometrics, and (6) emerging laws and technologies that irreparable investigative mistakes are complementary to the administration of these existing public References are discovered. I have been policies. The Real ID Act is a part of something much larger. there; and I lie awake many It is part of a global movement towards digital and RFID public 1. Official purposes include, (1) accessing federal facilities, (2) board- nights thinking of how “not” to policies governed by the private and public sectors. q ing federally regulated commercial aircraft, (3) entering nuclear put another prosecutor in that power plants, (4) accepting food stamps and other federally-funded About the Author s a trial attorney I have spent most of the last decade living situation. benefits, and (5) any other purposes designated by the Department of Homeland Security. in a courtroom. Prosecuting rapists, murderers, child molesters Bart Bevers is the Deputy Inspector General for Enforcement with and white-collar criminals was my daily duty. The Real ID Act prohibits federal agencies from accepting a A state-issued driver’s license or identification card (presented for the Texas Health & Human Services Commission – Office of Inspec- Each crime that I prosecuted had certain elements. Each element official purposes1) that does not meet the minimum require- had to be proven beyond a reasonable doubt in order to achieve ments and issuance standards. Applicants will have to prove a conviction. The elements of each crime became a pair of that they are U.S. citizens, nationals, or have lawful immigration Learn more about an IP Address, Email “reading glasses” for me. When an investigator came to present status. In short, it will turn your driver’s license into a national Internet Investigation Tools Address, Domain Name, Website, or URL a case of Misapplication of Fiduciary Property, I knew the Texas identity card. Penal Code required me to prove seven elements. As the investigator began The Real ID Act will have an enormous Two Versions Available to pitch his case I would put on my impact by requiring states to have a pro- NetScanTools Pro Advanced tools for both the investigator and network technician. CDROM/Full Download version intended “elements-reading glasses” and look “Applicants will have to cedure in place which will allow them to re-issue all 240 million existing driver’s for installation on a hard drive. for where the evidence would fit into prove they are U.S. citizens... Automated Research of an IP the charge we were considering. The licenses with federally compliant cards. In short, it will turn your It will also alter the way the Department Address, Email Address, Host elements of each crime are something or Domain name, or web URL. that still guide my daily decision-making, driver’s license into a of Motor Vehicles operates in every state. §202(d)(6) of the Real ID Act requires because they are the building blocks Investigative tools that get national identity card.” states to: of every crime. information quickly. “Refuse to issue a driver’s license or The only element that is the same  IP/Domain ownership New! USB Flash Drive Version intended for every crime is identity. From federal courts to state courts to identification card to a person holding a driver’s license issued  Upstream ISP identification for fully portable computing. Installation is not crimes committed in other countries; it is not enough to prove by another State without confirmation that the person is termi-  IP to Country mapping required, simply plug the USB drive into the that a crime was committed. You have to prove that the de- nating or has terminated the driver’s license.”  Email blacklist status computer and use the software. fendant sitting in the courtroom is the person who committed  Email address validation There is no computer system that currently exists which would the crime. The defendant must be tied to every element of the  Packet Capture, passive and active network discovery tools. crime and you must prove it beyond a reasonable doubt or you allow states to comply with this requirement. To address this  Many Network Technician tools are also included. will not be entitled to a verdict of guilty. Needless to say, identity requirement a national database will have to be created to allow is the most important element of any crime. When something states to run queries on driver record information. A demo is available upon request at our website. occurs which may help or hamper my ability to prove identity, Section 202 (d) (12) requires states to: “…provide electronic NetScanTools Pro is used in training by the Protocol Analysis Institute and several US Government Agencies. it gets my attention. Say hello to the Real ID Act. [also known access to all other States to information contained in the motor as §§201-205 of Emergency Supplemental Appropriations Act for vehicle database of the State.” Further, §202(d)(13) of the Real For more information go to www.netscantools.com/nw3c When ordering mention Defense, the Global War on Terror, and Hurricane Recovery, 2006 ID Act requires states to or call toll-free 866.882.3389 or 360.683.9888 Code 3C2Q07 for a discount. (Public Law 109-234)]. NetScanTools Pro, because you need to know what’s out there  ...since 1995 Northwest Performance Software, Inc.

36 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 37 Internet Scams, Cons and Theft Case Highlights By Greg Donewar, Manager, Internet Crime Complaint Center Identity Theft:

istorians, more refined in blocking illegal activity; the criminals will continue The Complex Criminal w r i t e r s , to refine their methods in response to these efforts. The same By Arthur Spindler, Investigator, Identity Theft p o e t s , report proposes that globalization will affect crime trends due to Unit, El Paso Police Department and phi- differences in culture, language, laws and behavioral norms. In losophersH have refer- answering the question “Why”, this work indicates that criminal enced the treachery behavior follows crime prevention and detection; however, the n today’s society, In a closet under the stairs, of humans throughout proliferation of software solutions to detect and identify illegal identity theft is a black plastic file case was the ages. The settling of behavior indicates a chase-strategy of software developers fixing I in the back of found. The file box con- America’s “wild” west often vulnerabilities after a security breech rather than preceding it. In a everybody’s mind. tained the identities of 89 bears vision of a romantic and white paper published by Microsoft Corporation, the perspective Society does not victims. The information simpler life filled with adventure, is clear that the criminals are on the offensive, actively pursuing comprehend the contained in the files was yet around the turn of the last century, settlers of the Wild West victim opportunities. magnitude of iden- interesting. I found names, found themselves victims of a colorful variety of scam artists, tity theft. Let’s face dates of birth, social security confidence men and swindlers. Philip Arnold masterminded the Social scientists lay cause on the root of human behavior. Roles it; identity theft is the numbers, past and present famous Diamond Hoax in 1872 and Dr. Samuel Bennett was in this arena are twofold: that of the offender, and that of the fastest growing and one addresses, home and cell a renowned “thimble artist” who cruised the Mississippi. There victim. The offender has a talent for identifying vulnerable prey. of the most lucrative crimes phone numbers, employ- Organized file box containing identify- was famous con artist Joseph Weil, who inspired the movie “The Their knack for intuitively exploiting an individual’s insecurities, today. The following case shows ment history, driver license ing information on 89 victims. The files Sting”. Armed with an arsenal of snake oils, potions, gimmicks weaknesses and manipulating a perceived common interest are just how complex can identity theft be. information, and believe it contained name, addresses (home and and tricks, criminals of yore preyed on their unsuspecting victims instrumental to their success. These talents along with non-descript or not, credit reports and work), date of birth, social security num- ber, phone numbers (home, work and with great deft. physical attributes make it difficult for victims to resist developing A tip was received about identity theft anonymously from a law loan applications. All in all, a comfort level that exposes them to victimization. office in El Paso, Texas resulting in the execution of asearch there were a total of 295 cell), credit reports with account num- bers, bank names and account numbers, Fast-forward to these technologically advanced times of computer- warrant. While executing the warrant several documents were victims of identity theft from next of kin and loan applications. ized gadgets of all sorts, high speed Internet and across the world Some studies of victims point to qualities that indicate needi- seized along with an ID card printing machine, approximately all over the country. real-time news reporting via satellite. We might presume a ness, desperation, timidity or lack of fulfillment; yet some victims 400 ID card blanks, blank check stock, a laminating machine, greater degree of sophistication and ability to weed through are powerful, wealthy, educated and socially refined. Reaching numerous false driver licenses and a laptop computer. It should While going through the files, I found many contained highlighted the claims of charlatans and con men. Yet evidence of just the deeper, some research indicates perhaps an innate, primal need be noted three of the four subjects involved were already incar- sections. The sections highlighted were credit scores and credit contrary abounds. In fact, some analysts believe most scams to accumulate objects of value as a survival mechanism, the cerated when the tip came in. card accounts with account numbers. With this information the and cons are simply a variation of tried-and-true schemes used premise being that holdings, money or objects have value that subjects would create a fake driver license with their photo on for decades. can serve as the means to sustain an organism. Thus, humans The printer seized was a it. Once done making the license, the subjects would go to lo- are predisposed to have a propensity for greed that is hardwired Polaroid-75, which is a spe- cal businesses and complete credit applications in the assumed In January 2007, the United States General Services Administration into our primitive behavior. Coupled with social and cultural pres- cial printer used to print name. Some of the merchandise purchased was for them but published and distributed its 2007 Consumer Action Handbook, sures that emphasize wealth, the drive to acquire things of value identification cards. When most of it was sold on the street at half price. What didn’t sell a guide largely aimed at helping consumers avoid being duped, is compelling to the point of irrational behavior. One researcher the blank ID card is fed into on the streets was taken to pawn shops. Checks were printed scammed or conned. The 174 page guide is full of useful tips implies that the desire to acquire wealth is so compelling that the printer, it starts layered using the information contained in the files and were cashed at and resources aimed at minimizing consumer loss through illegal great risk is extended, no matter how slim the chance. Social printing by the use of a various businesses throughout the city. and unscrupulous activity. The consumer education Web site implications are also blamed as being responsible for individuals multi-color ribbon. As one Lookstoogoodtobetrue.com posts the latest trends and scams not withdrawing from a bad situation for fear of being perceived layer is printed, the ribbon Their demise occurred when they attempted to complete a credit along with a host of learning opportunities for consumers, all as unkind, impolite or callous. advances to another color application and the store clerk felt something was wrong. The aimed at reducing victimization. Despite a sea of knowledge to and the process is repeated clerk contacted the police who arrived and conducted the ini- Knowing “Why” individuals are routinely victimized gives us insight The printer ribbon prints onto the card in guard against victimization it still occurs and, according to some until complete. When the tial investigation. When the officers checked the subjects for experts, with greater frequency than ever before. to developing viable solutions. Strong evidence indicates we must layers. After one layer has printed, the a) develop offensive strategies in combating cyber crime, b) ribbon advances and the next color is printing process is complete, identification, they provided fake driver licenses. The officers It is impossible to engage in dialogue about Internet crime with- encourage social norms that embrace altering individuals’ value printed. This ribbon was examined and the card is ejected from checked the licenses on their M.C.T. (Mobile Computer Terminal). out asking the question, “Why”? Why do individuals routinely and system and which diminishes motivation for committing crimes, several images of identifications were the printer. The printer Information displayed on the screen of the M.C.T. revealed the continually fall victim to scams and ruses that, to even the casual c) improve global interoperability in investigative capability and located. was taken to the photo licenses were valid. The officers continued their investigation and observer, seem to be easy to detect and avoid? d) aggressively pursue research to identify successes and failures lab technician for evidence located a phone number listed on the credit application. The and offer rapid solutions for improvement. recovery. After two days of reviewing the ribbon, several Arizona officer called the number and spoke to the victim who lived in A report from the National Institute of Justice indicates that fu- and Nevada driver licenses were found along with Department Arizona. The subjects were taken to Identification and Records ture crime trends will be predicated on criminals adapting to The Internet Crime Complaint Center project continues to fortify of Veterans Affairs Identification cards, Teamsters identification for fingerprinting in the hopes of identification. One subject was changes in the environment and responding in ways that thwart these initiatives by providing a consistent focal point to report cards, and Food Handlers cards. positively identified through his fingerprints while the other two attempts to impede application of their illegal trades. This report Internet crime, developing and sustaining real-time research subjects finally provided their true identity. supports the theory that, as the tools and techniques become information and serving as the bridge and conduit to connect Continued on page 57 Continued on page 57 38 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 39 oddly enough, all transactions Richmond (VA) Police Are Doing were completed at the bank’s drive-through window. Their Part to Fight Identity Theft Check Kiting Scheme

ControllerController Original business bank deposit ichmond Police Detective Jennifer Mus- slips were recovered from the By Loreal Bond, NW3C Communications Assistant selwhite knew something was wrong ScamsScams business which did not coincide R when she heard the name Marilyn Rob- with the deposit slips received erson mentioned several times in compliance MajorMajor GasGas by the financial institution. It “Operation Reconcile” brings Fraud Thieves reports filed by several Richmond area banks. was determined that once the to Justice ConglomerateConglomerate controller received the business “I was familiar with Roberson from a past bank deposit slip, she would s identity theft becomes more common in busy cities, the Richmond case where she was indicted for fraud related then forge deposit slips which Police Department is doing its part to crack down on these identity theft charges,” said Musselwhite. ByBy SergeantSergeant DavidDavid Doyle,Doyle, ClermontClermont CountyCounty Sheriff’sSheriff’s DepartmentDepartment she would then use to make criminals. In November 2006, the Metro Richmond Identity Theft Task the deposit. She completed Force concluded “Operation Reconcile”, an initiative that resulted in the In February 2006, Marilyn Roberson was con- this theft from the business by skimming the cash from the n May 26, 2006, the Clermont County Sheriff’s Of- Aindictment of 51 individuals on federal charges of identity theft and other related victed of conspiracy to commit bank fraud, sen- deposits, and only depositing checks and money orders into the fice received a call from the Chief Executive Officer charges. tenced to 66 months of imprisonment and or- of a major gas company conglomerate, wanting to business account. Further investigation revealed the controller was dered to pay $186,137.63 in restitution to six area report an internal theft. The CEO believed the theft returning from the bank with the original deposit slip provided Detective Jennifer Musselwhite of the Richmond banks that were affected by her scheme. Ohad occurred over the past several months and felt one of his to her from the business and filing the slip into a folder. She Police Department, worked with Operation Reconcile employees was responsible for the offense. The case was as- would also return the deposit slip given to her from the bank, to bring down the 51 identity thieves. Roberson was no stranger to Richmond detectives signed for investigation and the following information is what which if examined by other staff members, would have shown and investigators. More than a few times, she had Richmond investigators became aware of the crimes my case investigation revealed. a discrepancy and money shortage. The controller disposed of been convicted of fraud crimes. the forged and newly created deposit slip used at the bank at after receiving various complaints from the postal in- On May 30, 2006, I responded to the gas company and met an unknown location. spection service, local banks and private citizens. Over the months of June 2004, and January with the CEO and a small group of his subordinates. The CEO 2005, Marilyn led a ring of 11 individuals in a stated that his newly employed controller discovered a large A business bank book was located inside the controller’s of- The offenders were able to steal the identities of fice which also reflected the inaccuracies with the conspiracy to commit bank fraud. During this discrepancy in their financial records. Money was missing from their victims by phishing for personal data, contact- time, Roberson directed others to open nine several of his business accounts. From September 2005, until procedures administered by the controller. The controller had ing employers at their businesses, stealing wallets, this particular bank book locked inside a cabinet for which only different bank accounts and paid them for the May 2006, money appeared not to have been deposited into mail and “dumpster diving.” use their existing accounts for the sole purpose his business accounts. The sum of money determined to be she had a key. Detective Musselwhite explains the struggles that of negotiating worthless or stolen checks. missing from the business was $60,232.49. The CEO was not The controller was interviewed about the misappropriation of Jennifer Musselwhite investigators face when investigating identity theft. clear on how the money was being scammed from his busi- funds and denied any knowledge or involvement in the theft. Detective, Financial and Roberson was able to steal funds by depositing ness but one of his subordinates had a hypothesis on how it She was subsequently indicted for Grand Theft, a Felony of the Technology Crimes, Richmond “It’s such an easy crime. This type of crime tran- checks from one account into a second bank occurred. Fourth Degree, whereas she plead guilty to the charge in the Police Department scends social and economic barriers, people ev- account and withdrawing the funds before the erywhere can do it. You can’t put these criminals check cleared. This is a scheme known as The subordinate, who was the former controller for the busi- indictment on January 17 ,2007. She was ordered to pay res- in the same category all the time. I believe that you box yourself in when you check kiting. The National Check Fraud Center ness, stated she felt the current controller was responsible for titution in the sum of $51,924.69 to the businesses’ insurance have pre-conceived notions about people.” defines check kiting as the“ process of depos- the theft. The current controller was hired on July 01, 2005 and company and $8,307.80 to the gas company. She was sentenced iting a check from one bank account into a took over all the financial responsibilities related to the business. to five years of community control. The guidelines of the court It is for this reason that Musselwhite suggests that most identity thieves do not second bank account without the sufficient The subordinate provided me with documents which indicated stipulated she not to be employed in a position where she has share the same criminal profile or characteristics. funds to cover it.” the current controller had changed the password on her com- control of or access to employers’ financial records or cash such q puter. This meant she was the only one inside the company as bookkeeping, accounting, controller or office manager. Musselwhite instead, suggests that there are common reasons why people com- During the trial process, Musselwhite was who had access to the business’s financial bookkeeping and mit identity theft. In her investigative career, the most common explanations for helped by NW3C analysts to develop exten- business records. There was no way to maintain a system of committing identity theft have been for maintaining drug habits, those who are sive flow charts which showed how money checks and balances. Further documents revealed that she was Send Us Your Story! working but in a financial bind and those who make their living from their crimes. was bounced around various accounts and responsible for physically transporting cash, checks and money The one thing these reasons have in common is money. Most identity thieves how it all linked to Roberson. orders to the bank for deposit. Two other employees for the Submit your successful white collar crime case want to improve their financial status. When investigating a case of identity theft, business would physically write out the deposit slip for the money a good place to start is the suspect’s financial background, including their debt to be published in the Informant. We accept “NW3C was a life saver, we had to prove to the to be deposited into the company’s account. Once the slip was to income ratio. successful case stories on any white collar crime subject. jury that Marilyn was directly involved in the check completed, these two employees’ would place the deposit slip When investigating a case, Musselwhite agrees that the best way to gather evidence fraud scheme,” said Musselwhite “NW3C was into the current controller’s mail tray for deposit. Visit our Web site, www.nw3c.org, for submission and is to go out and talk to the victims, keepers of records (when working with banks) able to take something extremely complicated and author guidelines. From this point, the controller obtained the deposit slip along and anyone else that may be involved in the crime. make it understandable to the jury.” with the money for deposit and transported them to the bank. Contact Us Today! For more information, contact To date, 28 of the individuals arrested have entered guilty pleas; 26 were charged The bank was in close proximity to the gas company; therefore, The investigation was lead by the Metro Rich- Loreal Bond at [email protected]. with aggravated identity theft, which carries a mandatory prison term of 24 months the transaction should have only taken fifteen to twenty minutes mond Identity Theft Task Force, with participa- and a fine of up to $250,000. Seven others have federal charges pending and to complete. “Red flags” arose when fellow employees noticed tion from the Hanover Sheriff’s Office. We look forward to seeing your white collar crime the remaining are either in state custody or fugitives pending arrest. Thirty-three that the controller was gone for an inordinate amount of time of those arrested were repeat-offenders and 38 lived in the Richmond and sur- during these trips. An investigation into bank records indicated the case in the next Informant! rounding area.  current controller was the only employee making the deposit and

40 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 41 to dictionary-based cracking attacks. With WEP, Aircrack takes a statistical approach judging the likelihood of certain hex-pairs that make up a WEP key, and brute-forces the resulting pairs with the greatest likelihood of being part of the key. The ability of Figure 2: Kismet detecting IP addresses in use on a wireless network an attacker to recover a WEP key from packet dumps containing WEP-encrypted data is only a matter of time. Aircrack is capable SSID Cloaking of running a dictionary-attack against WPA encryption, procuring The SSID, or name, identifies the wireless access point and is the password/pass-phrase out of a packet dump containing only broadcast in beacon frames, or chunks of data identifying and a single WPA “handshake”, or authentication process. describing the access point and its capabilities. With SSID cloak- ing enabled, the SSID is not included in beacon frames, and, Wireless Network Security Features without the SSID, an attacker cannot establish a connection to Wireless access points feature options to protect against eaves- the wireless network. Wireless clients will reveal the SSID when n October 25th, 2004, at 11:20 p.m., Paul Timmins that WEP is not generally accepted as a trustable means to dropping and unauthorized access, but these security features they periodically disconnect and reconnect. Using a packet-sniffer, and Adam Botbyl (known by their hacker aliases secure confidential data traversing a wireless network. The are mere obstacles that can be circumvented or broken by a an attacker can easily find the SSID. “noweb4u” and “itszer0”, respectively) parked their Department of the Interior was held responsible for the inse- determined attacker. For the purposes of this research project, In the graphic (Figure 3), Kismet has detected the SSID of an white 1995 Pontiac Grand Prix outside a suburban cure storage and transmission of Individual Indian Trust Data. the circumvention and exploitation of wireless network security AP with SSID cloaking turned on. Given enough time and traf- ODetroit Lowe’s and opened their laptops in search of a wireless features will be divided into two groups: preventing unauthorized fic, Kismet will detect the SSID automatically; If time is limited, access point. As they expected, they found several wireless ac- While established laws regarding the specific use and misuse of access and protecting data. an attacker can force client(s) to disconnect and reconnect from cess points belonging to Lowes, and none of which employed wireless networking technologies are few and far between, juris- Preventing Unauthorized Access the access point, revealing the cloaked SSID. any wireless network security features. The two then connected dictions are beginning to catch up to the exploitation of wireless MAC Address filtering, IP Address filtering, SSID Cloaking, and to Lowes’ wireless network and cracked their way onto the cor- technology. New Hampshire proposed enacting a law leaving Username/Password Authentication are all security methods that porate network. While inside, they gained access to stores and consumers and businesses responsible for the securing of wire- can be implemented to prevent unauthorized access. corporate offices nationwide and installed a piece of software to less network devices, and any “negligent or inadvertent access” capture credit card numbers. Though the software caught only is defendable by an affirmative defense. Westchester County, MAC Address Filtering six credit card numbers and did not gain further access to any New York, enacted a law requiring businesses and home offices An attacker can circumvent MAC address filtering due to the sensitive information, events such as this should be a serious transmitting personal or sensitive information via wireless devices ability to change the MAC address used by a network card. Even Figure 3: Kismet detecting the SSID (h4x0r) of an AP, wake-up call to the incurable dangers of installing and using to enable “minimum security measures”, consisting of (but not on WEP and WPA-enabled networks, MAC addresses are required despite SSID cloaking wireless network devices. limited to) installing a network firewall, changing the default SSID, to remain plain-text. Because each data packet contains a source and/or disable SSID broadcasting. The enactment took place to and destination MAC address, an attacker can find a valid MAC Web-Based Username/Password Authentication Legal Responsibilities Regarding Wireless Network help protect against identity theft and other online crimes made address easily by running wireless-sniffing software. Figure 1 is a Security Login screens that require a username and password are com- easy by the widespread use of wireless networks. screenshot from Kismet detecting clients connected to a wireless mon at wireless hotspots, universities and organizations offering Publicized incidents regarding wireless network security and in- network. Because each network device has successfully connected free public wireless access. Before granting full access to the trusions have not been limited to businesses and home users. Comparing Wireless Networks to Wired Networks to the wireless access point, each MAC address must be allowed network, users are required to “log in” via a web interface, which In several cases, the blame for the intrusion or compromise of While wireless networks and wired networks are both a means to by the wireless access point. To gain access to the network, an is the only web page the router will provide. In most cases, the sensitive information did not fall on the attacker; it fell on the network connectivity, data containment differs immensely between attacker simply needs to change the MAC address on the attacking internal workings of this scenario are very simple: When the user individuals responsible for keeping the respective network and the two. In a wired networking environment, data signals are machine to match one of the allowed MAC addresses. logs in with a username and password, the router determines contents of the network confidential and secure. contained inside a network cable. In a wireless networking envi- the MAC and IP addresses of the user’s computer. The MAC and Computer security analyst Stefan Puffer demonstrated to Charles ronment, data signals form a sphere hundreds of feet around the IP address are expected to uniquely identify the authenticating Bacarisse and Steve Jennings, employees of Harris County, Texas, access point. While walls, ceilings, buildings and other geographic client; after the authentication process is successfully completed, how easily the City’s unprotected wireless network bridging two obstacles lessen the signal range of a wireless signal, wireless that MAC and IP address are specifically allowed via a firewall buildings could be accessed by unauthorized users; the exposed signals are easily intercepted from remote locations hundreds or access control list. Spoofing the IP and MAC address of the vulnerabilities resulted in a publicized shut-down of the city’s of feet from the access point. While a few hundred feet may attacking client to match an authenticated client will circumvent wireless network. not seem like much of a threat, an attacker can tremendously the login authentication process and allow access to the network. increase the signal range by using simple devices such as external Using Kismet, as described earlier, will provide a usable IP and The Department of the Interior (DOI) was ordered to disconnect antennae or other RF boosting hardware. At Defcon 13 in MAC address for creating a spoofed connection, and access to all network computers containing or serving Individual Indian Trust 2005, a team established a full wireless connection over 124.9 most wireless networks requiring a login and password. Data from all network devices or devices providing network access. miles (limited only by topography) using parabolic antennae. While the disconnection of devices containing Individual Indian The ability of an attacker to potentially access a wireless network Protecting Data Trust Data was not solely the result of poor wireless network from not only outside a building in a parking lot, but miles away, Wired Equivalency Privacy (WEP) and Wifi Protected Access (WPA) security, the penetration-testing team that evaluated the DOI’s is an incurable security issue with wireless networking. are both encryption schemes designed to prevent unauthorized network security found serious vulnerabilities created by poor Figure 1: Kismet displaying all active MAC Addresses access and keep attackers from sniffing traffic via the airwaves. management of wireless network devices. The range created Tools of the Trade connected to a wireless network by the wireless devices was not controlled and produced the For the purpose of this research paper, two software suites were Wired Equivalency Privacy (WEP) IP Address Filtering possibility of accidental or intentional connection by unauthor- used: Kismet and Aircrack. Kismet is an open-source wireless Wired Equivalency Privacy, or WEP, is a form of wireless encryp- The circumvention of IP address filtering is relatively straight-forward, ized wireless devices well beyond the perimeter of the build- packet-sniffer and intrusion-detection system (IDS). Unlike most tion that implements a 64- or 128-bit shared static encryption as Kismet has the ability to sniff packets to find IP addresses ing. The penetration-testing team discovered numerous rogue wireless-detection programs, Kismet intercepts data it detects, displays key. In a WEP-encrypted environment, data above Layer 2, in use. If an IP filter is applied to the wireless access point, an access points employing no wireless security features, thereby warnings for suspicious activity, and gives very detailed information such as network IP addressing information and application data, attacker simply needs to statically assign the IP on the attacking granting easy access to the internal wired network. While most on access points and connected wireless (and wired) clients. Air- is encrypted from a packet dump of WEP-encrypted data, an system to match that of an associated network device. legitimate wireless access points employed Wired Equivalency crack, a WEP and WiFi Protected Access (WPA) cracking tool, takes attacker can only determine the MAC addresses of connected Privacy (WEP) encryption, the penetration-testing team stated advantage of WEP’s cryptographic weakness and WPA’s vulnerability

42 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 43 clients. However, due to a weak encryption scheme, an attacker can crack WEP by simply gathering enough WEP-encrypted data (using Kismet or a program with similar features) and running that data through a WEP-cracking program, such as Aircrack. Figure 5: Aircrack successfully procuring the WEP key (with the above 406k packets) Tracking Anonymous Internet Table 1” The OSI Model Surfing Layer # Layer Name Description Encrypted Wireless Protected Access (WPA) 7 Application Programs utiliz- Yes WPA, also utilizing a Layer-2 encryption scheme, is stronger than WEP By Matt Churchill, Deputy Sheriff, Douglas County Sheriff’s Office ing networking and does not have the same vulnerabilities and weaknesses in imple- protocols mentation. As opposed to a shared, static key, WPA implements a 5 Presentation Esures application Yes dynamic key, which differs for every client and every chunk of data. interoperability As a result, an attacker gathering packets will never be able to recover veryone can agree that Tor. They have promised that all billing is anonymous, no logs 5 Session End-To-End com- Yes the key protecting the data as with WEP. However, WPA is based off a the Internet has made are kept, and users will be completely shielded from any law munications password and is still vulnerable to dictionary or brute-force password the world a much smaller enforcement requests for information (because even XeroBank 4 Transport Ports Yes attacks. Where WEP took from hundreds of thousands to millions of place. Family and friends won’t know who the true user is). 3 Network IP Addresses Yes canE easily keep in touch from miles encrypted packets to crack, WPA requires only a single capture of the Why is this a concern to law enforcement? Tor is notoriously slow 2 Data Link MAC Addresses No authentication process, also called a handshake. away sending emails, pictures and videoconferencing. The same is true for criminals. They have become increasingly adept at due to encryption and layering traffic and many users aren’t patient 1 Physical Binary Representation of No enough to use it religiously. However, a new, private high-speed data While Aircrack needs only a single handshake to crack WPA, hiding in the shadows while sending contraband or discussing version of Tor will allow criminals to transfer child pornography, use waiting for a device to authenticate can take time. However, an their criminal enterprise. VOIP to discuss terrorist activities, and make use of their offshore attacker can force clients to deauthenticate and reauthenticate, While services promising anonymity on the Internet have been e-mail account to finalize any criminal plans3. They can do all of Aircrack requires between 60,000 and 1.5M packets to crack thereby broadcasting the authentication handshake. 128-bit WEP. On a busy network, gathering the necessary num- around for several years, there is a new and relatively noteworthy this knowing they are completely anonymous and shielded from ber of packets might take hours or even as little as a few offering: XeroBank. The program Tor (which stands for “The Onion prying eyes. minutes (Figure 4). On a less busy network, such as a home Router”) is used as the backbone for XeroBank. Tor was born For example, a XeroBank user could access a child pornography or residential environment, gathering the necessary amount of out of research done by the US Naval Research Laboratory and 1 Web site without worrying about what logs were kept. If a law encrypted data can take days or even weeks. To speed up the is currently sponsored by the Electronic Freedom Foundation . enforcement agency seizes the Web site server, the user will not process, an attacker can force access points and wireless devices Tor works by maintaining a network of servers run by numerous have his or her actual IP address anywhere in the logs. In this to generate mass amounts of data by performing an ARP replay individuals in different locations. By connecting to Tor, a user situation, the best investigators can hope for is that the suspect attack using aireplay . routes his or her Internet traffic through several different servers entered personally identifiable information or used a credit card at a time. Anonymity is provided by layering and encrypting the to subscribe to the site’s content. This could then be used to Internet traffic through a variety of servers (layers, you know, like interview the suspect and possibly seize his or her computer. an onion). The server that actually communicates with the Web site has no idea which server, and therefore user, originated the In spite of all this, law enforcement and other users that have no Figure 6: Aircrack after a successful dictionary attack against traffic. This enables the user to appear completely anonymous criminal desire can also use the service. An investigator can use WPA (WPA password: whatever) to the connected Web site. The Web site assumes that the exit XeroBank Browser to access a suspect Web site without worrying node, or outermost layer of the chain, is the actual user2. about the government IP address raising red flags with the site’s Summary owner. Journalists, whistleblowers and residents of countries with In addition to public embarrassment and court orders to shut Tor can be downloaded for free and installed on a computer. The Internet unfriendly governments can all use the service to freely down government networks, more and more jurisdictions are user would then have to configure his or her Internet browser access the Internet. enacting laws requiring businesses, government and law-enforce- or other program to use Tor. This method has disadvantages as Criminals have used anonymous services in the past and will con- ment offices to secure any wireless networking devices transmitting the user can have improperly configured programs that can lead tinue to use them in the future, as they will continually become sensitive information. The security features outlined in present to possible “leaks” or expose weak points that can be exploited better and better options. Law enforcement will have to attempt and emerging laws requiring “minimum security measures” are to find the user’s true identity. Another major disadvantage (but to stay ahead of new technology, even if criminals don’t use the not capable of securing data transmitted over the airwaves. Even benefit for us) is that the Internet history will still be written as new options or are slow to adopt them. q with filtering and encryption features enabled, built-in security normal and can be recovered during a computer forensic exam. Figure 4: Kismet gathering 406k packets features of wireless networking hardware are currently inadequate XeroBank offers a free product that can be used to avoid the pos- About the Author in 7 minutes 36 seconds. for ensuring the integrity and confidentiality of data crossing the sible pitfalls of a normal Tor installation. XeroBank Browser (formally airwaves. q known as TorPark) is a version of portable Firefox bundled with Matt Churchill is a deputy sheriff for the Douglas County Sheriff’s Office in Omaha, Nebraska. He is CFCE and CCE certified and a member of After an attacker has gathered the necessary quantity of data, Tor. It is configured to automatically use Tor and eliminate some Acknowledgements IACIS, ISFCE, and HTCIA. Aircrack can quickly procure the WEP key encrypting the data. of the leaks and misconfigurations a less experienced user might not realize were there. XeroBank Browser can be run from a USB Special thanks to NW3C Computer Crimes Specialist Jeremiah John- flash drive, which helps to leave a minimum amount of tracks on References: Gaining access to the network under attack is not the only son for configuring the wireless router used in this research, providing ability the attacker has obtained by cracking the WEP key. An the suspect computer. Browsing history and cache would only a Linksys PCMCIA wireless network card, and generating traffic and 1. http://www.eff.org/about/ attacker can now apply a feature in Wireshark to decrypt the be found on the flash drive. WPA handshakes for breaking WEP and WPA (respectively); NW3C 2. https://tor.eff.org/overview.html.en WEP-encrypted data dumps, revealing all encrypted data. The Research Attorney Christian Desilets for advising excellent case stud- New, paid services from XeroBank promise high-speed access 3. http://www.xerobank.com/services.html decrypted packet dumps will contain all data that crossed the ies; NW3C Computer Crimes Specialists Robert Maddox and Greg to the Tor network. The company is also working on building line, including usernames, passwords, and other credentials and Masi for critique and feedback. their own network of servers to replace and operate similarly to personal information. Continued on page 58 44 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 45 is used to access it again. Cookies are often used as a conve- the concept of these sorts of tracers would have been reasonably nience, to remember a user’s information between visits, or to anticipated. As such, we are left with trying to match the particu- allow information to be maintained across different pages on the lar fact pattern underlying the use of these bugs to a somewhat same server (such as being able to put things in an electronic wide variety of laws, all of which might have some impact on shopping basket that remembers all the items that you’ve put their use. in it across several pages of items). Generally, if you’ve used a Web site that remembered your preferences, password, or The legal constraints that we’ll be looking at are: By Christian Desilets, Research Attorney, NW3C previous purchases, there’s a very good chance that cookies 1) The Computer Fraud and Abuse Act (CFA) were used to do so. Though the default in most browsers is to 2) The Can-SPAM Act What Are They? managed to gain his trust in a chat room, and he’s talking about accept at least some cookies, it is something that a user can 3) Wiretapping under the Electronic Communications Web bugs (also known as a crime involving a number of people whom he only refers to configure to his or her taste. Privacy Act (ECPA) web beacons, tracking bugs, by codenames and Internet handles, without ever volunteering 4) Pen Registers and Trap and Trace Devices pixel tags and clear gifs) are any solid information about them. If you can send him an e- The file request can also be modified in other ways while still 5) The Stored Communications Act (SCA) powerful tools at an officer’s mail with a web bug in it (which you can ask him to forward identifying the same resource. Information can be appended to disposal that can provide in- on to one or more of the other criminals for you, so he doesn’t the file requests, sometimes through the Javascript programming The Computer Fraud and Abuse Act (18 USC § formation on where an e-mail have to reveal their e-mail addresses), you’ve suddenly got a lot language. You may have noticed, when you visit web pages, that 1030. Fraud and related activity in connection with goes and who visits web sites. more information. sometimes the URL (or Uniform Resource Locator- the bit that computers) Both forms (e-mail and web- tells the computer where to look for the file that you’re trying to This statute is primarily concerned with hackers gaining unau- based) will be referred to here As soon as he opens up the message and his machine auto- access) in the address bar will look something like http://search. thorized entry into a computer system, and using this access to as web bugs, for simplicity’s matically downloads the bug, you’ve got his Internet Protocol (IP) yahoo.com/search;_ylt=A0geu9D7QgBG6A4AwTdXNyoA?p=web gain or alter data or do some other sort of damage. As the sake. Unlike conventional address. With an IP address, there’s a good chance that you’ll +bugs&ei=UTF-8&fr=yfp-t-501&x=wrt (the URL that pops up web bug is merely requesting a file from a particular server (and bugs, these tools don’t re- be able to track him back to a particular Internet service provider when I perform a search for web bugs on the Yahoo! search transmitting some information in the process), we are left with quire specialized hardware. (ISP) in a particular part of the country. If things go well, you’ll be engine). That’s a whole lot of strange-looking stuff, right? only two main questions. The first is whether using an e-mail Instead, they take advantage able to follow up with a court order to the ISP (under 18 USC § The trick to reading it is to remember that everything after to sneak something onto someone’s machine that will make the of the way that files are requested and transmitted in many 2703(d)) and find out which of the ISP’s users were using that the question mark is irrelevant to the task of file retrieval. machine perform a particular covert action (in this case, request- online environments. While many images that one would view IP address at the time. From a cryptic screen name, you’ve now Everything else (called the query, in URL-speak) is passed ing the file) is a violation of the statute. The second question on a web page or in an e-mail are included with the rest of got a real flesh-and-blood person to investigate (though there’s as data to the program that you just asked to be activated, is whether using one of the functions web bugs are commonly the content, a web bug resides on an outside computer and a possibility that the criminal has taken additional steps to mask without knowing what the program is going to do with it. employed for- linking cookie information with a particular person must be requested. their identity, this step might be all you need). Typically, (as in the case of the URL above) the query is used across multiple websites- is a violation of the statute (in that it to populate web forms or to tell some program- say, a search accesses information without explicitly requesting permission). A typical such bug consists of a transparent image file one pixel Taking it a bit further, if you’re lucky you’re going to get tool, what to do. If the requested URL corresponds to a file wide, but it certainly doesn’t have to be. Since transparent pixels another IP address or two to investigate as he forwards and not to a program (which is generally the case when we’re The computer fraud and abuse statute doesn’t criminalize all (while often overlooked) are a little suspicious when discovered, the message to the other criminal contact or contacts and using web bugs), the whole query string is ignored. So why undesirable activities on computers. When examining whether or another common practice is to make the image obvious, but they open the message for themselves. Now you know who your do we care? Because when you click on a link in a web page not it’s legal to cause a computer to covertly request an image to make it look like it was put there for an innocent reason. contact was acting as a middle-man for. At the very least, you’ve that you already fed a query string to, it can append the query file, part five of section (a) of the statute comes to thefore: Different techniques embodying the latter philosophy include got an IP address for them, and you can trace it back the same to the file transfer request (acting like a cookie) and, regardless making the web bug an image in your e-mail signature, your way that you traced the first one. It might not be enough, all by of whether the query string is ignored or not, the whole URL (5) (A) (i) knowingly causes the transmission of a program, background image, using an enhanced emoticon image in your itself, to sustain a conviction, but it’s a good start. From dealing including it is stored in the server’s log files. information, code, or command, and as a result of such text, encoding part of your message as an image, or including with anonymous screen names, you now have actual people to conduct, intentionally causes damage without authorization, a relevant picture (something humorous, violent, aligned with investigate. You’re also going to have an easier time showing links The main differences between query strings used for tracking to a protected computer; the hate group you’re dealing with, or purporting to be a teaser between the group members, now that you can show that they and HTTP cookies are: (ii) intentionally accesses a protected computer without au- picture of a minor, for example, depending on your situation). communicate with each other. thorization, and as a result of such conduct, recklessly causes • Query strings form part of the URL, and are therefore damage; or The instructions for displaying the web page (the web page Cookies and Java included if the user saves or sends the URL to another (iii) intentionally accesses a protected computer without source code) are read by the visitor’s web browser and they Web bugs become much more powerful when combined with user; cookies can be maintained across browsing ses- authorization, and as a result of such conduct, causes tell the visitor’s computer how to assemble the page. Among other web tools. They can retrieve information previously stored sions, but are not saved or sent with the URL. damage; and these various instructions, in the case of a web bug, is a section by a cookie, for example. A cookie is “[a] very small text file placed (B) by conduct described in clause (i), (ii), or (iii) of of code that says, in effect “now put this picture here- only on your hard drive by a Web Page server. It is essentially your • If the user arrives at the same web server by two subparagraph I don’t have a copy of it, I’m just pointing to it. Go to identification card, and cannot be executed as code or deliver (or more) independent paths, it will be assigned two (A), caused (or, in the case of an attempted this other computer and get a copy for yourself.” The viruses. It is uniquely yours and can only be read by the server different query strings, while the stored cookies are offense, would, if completed, have caused)-- 1 3 visiting computer then, more-or-less-invisibly to the user, that gave it to you.” When your browser sends a request to the the same. (i) loss to 1 or more persons during any locates the outside computer, establishes a connection to server from which it wishes to retrieve information, the browser 1-year period (and, for purposes of an inves- it, and requests that the file be transferred from there. When automatically looks on your machine to see if a cookie file as- Enhanced with cookies or query strings, web bugs can track tigation, prosecution, or other proceeding brought a computer requests a file from another system, the transac- sociated with that server already exists. If it does, it forwards all suspects across multiple bugged resources, reveal what data by the United States only, loss resulting from a related tion is typically logged by the computer that transmitted the of the information within that file (usually only a few name-value they are entering into some sorts of web forms (including things course of conduct affecting 1 or more other protected image, recording what it sent, when it sent it, and where it pairs) to the server along with the URL request. If a cookie file like search terms, payment, and login information), establish computers) aggregating at least $ 5,000 in value; sent it to (the IP address). These three pieces of information doesn’t already exist, the server can send name-value pairs in data trails on the suspects’ machines (to match the data trail are often enough to be of interest, but they’re just the tip of the header for the web page it sends, and your computer will that is being created at the server) that can directly tie them to Certainly, any computer on the Internet counts as a “protected” 2 the iceberg- web bugs can potentially yield a great deal more store this information in an appropriate cookie file. downloading the bug, and can help track down mobile users computer (as defined in section e(2) of the statute, a “protected information as well. (whose IP addresses might be constantly changing). A more computer” includes a computer “used in interstate or foreign com- While some cookies may store a lot of information, it is far more complete list of uses is at the end of the article. merce or communication”) and the web or e-mail bug counts as What Can They Do For You? common for a cookie file to store only a unique identifier. The the transmission of code, but that alone isn’t enough to generate Imagine, in an investigation involving a far-flung ring of Web site simply maintains a database that contains any other That’s Great- But Can We Use Them? liability. Going down the list item by item, a(5)(A)(i) requires in- cyber-criminals, that you only know of one solid suspect, but information about you that it would like to gather on its own site Analyzing the legality of these techniques is a little complicated. tentionally damaging a computer. This doesn’t seem to fit our facts think that he’s working with a number of other people. You’ve and the unique identifier lets it know when the same computer Much of the applicable law was drafted in the 80’s, long before very well. Section a(5)(A)(ii) requires the computer to be accessed

46 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 47 without authorization, but the damage that the suspect would be allowed and some are not. In Microsoft Internet Explorer 6, for it goes, except that it completely ignores the fact that a user’s will accept (since these settings presumably embody what the subjected to certainly isn’t reckless. Section a(5)(A)(iii) removes example, all but the lowest privacy protection setting “restricts[s] computer in fact does authorize various sorts of cookies, and user has authorized cookies to do on their system). This is the recklessness component, leaving us only with the requirements third party cookies that use personally identifiable information that users are often quite happy to let retailers use them (as true even if the cookies are invisible and doing things that users of intentionally accessing a computer and that damage results. without your explicit consent.” The default setting, Medium, evidenced by the popularity of sites that include such features as would likely not authorize if they knew of them (like providing “Blocks third-party cookies that do not have a compact privacy “remembering” your login ID, password, favorite categories, and evidence of crimes). If one wanted to be careful, one could This leads us to a somewhat interesting question- if we’re in- policy, blocks third-party cookies that use personally identifiable recent purchases). Another slightly iffy point is that the text file always use cookies that would be rejected by the default set- vestigating criminals, and this phase of our investigation results information without your implicit consent, and restricts first-party is not, in fact, placed on the visiting computer by the server- the tings of most web browsers (since a computer that accepted in the criminal serving jail time, is jail time “damage” for the cookies that use personally identifiable information without- im server merely transmits data and the receiving computer voluntarily the cookies could then be said to have had its security settings purpose of statute? It’s hard to imagine that suffering the legal plicit consent.” In this context, a first-party cookie is a cookie makes the cookie file (thereby placing it on its own drive). altered from their normal state, which would reflect knowledge consequences of illegal actions isn’t damaging, but at the same associated with the host domain- somewhere within the web of them, which would suggest that the current security settings time, one has a definite sense that it isn’t what Congress meant hierarchy that you’re looking at- while a third-party cookie is In the case of the surreptitious gathering of personal reflected a choice by the user to authorize certain types of cook- when they included a damage requirement. Luckily, Section e(8) from some other domain5. The sort of web bugging that we information by advertising company DoubleClick (In ies.) Of course, until the matter gets thrashed around in court of the statute defines damage (for this particular use) as “any are discussing in this article will typically be of the third-party re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d for a few more years, it’ll be hard to say how any particular impairment to the integrity or availability of data, a program, a variety, unless you’re hosting the image on the same server that 497, (S.D.N.Y. 2001).), the court, after explaining how a cookie judge is going to decide. system, or information.” Since that’s not the sort of damage your e-mail originates from. In other words, my e-mail address works (including that it is a text file written to a user’s hard drive, that we’d be anticipating, it looks like that particular prong of the is [email protected]. If I send an e-mail with a web bug in is transmitted to the requesting web server, and is updated on Just to make sure the point hits home- how web bugs will Computer Fraud and Abuse Act would be inapplicable. it from that address, the cookie generated by my web bug will the user’s hard drive as data is gathered during web browsing) be treated under the CFA is simply not yet known. There are only be first-party if the image is also hosted on the nw3c.org proceeded to state that “DoubleClick is never alleged to have some good arguments in a variety of directions (“successfully For our second question (about using the bugs to retrieve infor- servers. (Which would look something like http://www.nw3c. accessed files, programs, or other information on users’ hard hidden behavior cannot be consented to”, “cookie settings em- mation stored in cookies), § 1030 penalizes anyone who: org/investigations/1x1.gif.) drives.”6 body standing consent for those types of cookies to function”, and “because the computer transmitted the cookie infor- (2) intentionally accesses a computer without authorization The question of whether or not computer users have authorized To the DoubleClick court, cookie files were not “information on mation on its own, there was no access of the user’s or exceeds authorized access, and thereby obtains-- unknown users to store and transmit information through their users’ hard drives” that was being “accessed.” It stands to reason computer”), but nothing is settled yet. If you’re go- [text omitted] computers in cookie files is a little harder to pin down than the that a court following this understanding of things would say ing to use web bugs, make sure that you’re ready (C) information from any protected computer if the conduct authorization issues involved in transmitting image files. In the that our use of cookies wouldn’t be “access” either. They don’t to educate the judge, jury, and prosecutor on how they involved an interstate or foreign communication; example of an image file, the user understands that graphics explicitly say why the transmission of this particular text file to work (and, possibly, be ready to give your prosecutor tips on either are or may be present on the web page or in the e-mail, or from a user’s machine wouldn’t be accessing information, but what that might mean from a legal standpoint). As computers on the Internet are protected computers (as and actively desires (albeit in a somewhat general way) that they there are a few possible interpretations that make some degree mentioned earlier), Internet activity inherently involves be transmitted. Cookie files, on the other hand, are considerably of sense. Since the court contends that the information was The Can-SPAM Act (18 USC § 1037. Fraud and related interstate communication, and data stored in a cookie more transparent and technical. Many novice users may not never accessed, it looks like the court views the user’s computer activity in connection with electronic mail) file is information, the only question left is whether have any idea what a cookie is, what may be done with it, or as freely transmitting the information rather than being entered The Can-SPAM Act reads, in pertinent part (emphasis ours): the computer is being accessed without authorization at how and when cookies may be placed onto a computer. While and explored- the difference between me calling someone and In general. Whoever, in or affecting interstate or foreign some point in the process (or if access is authorized, but the there are security settings on many web browser products that telling them my personal information and someone breaking into commerce, knowingly-- authorization is exceeded). will restrict the sorts of cookies that can be created, or what my home to look through my personal files. (1) accesses a protected computer without authorization, they will be allowed to do, the casual computer user may never and intentionally initiates the transmission of multiple While the statute is silent as to what constitutes authorization for pull up the controls to modify these security features. How can It’s a valid point. The visiting computer is putting out its cookie commercial electronic mail messages from or through access, a bug in an e-mail or web page is simply a downloaded someone consent to something that they never knew existed? information, when such information exists, without prompting from such computer, picture file. The user, in the case of a web bug, must actively To muddy the waters slightly, various courts have examined the any other actor- it’s simply how browser software (generally) is (2) uses a protected computer to relay or retransmit direct his or her web browser to the web page- an act that issue of unauthorized cookies from different vantage points, often configured to work. Further, the visiting machine accepts cookie multiple commercial electronic mail messages, with the tacitly requests the contents of the web page to be downloaded representing a slightly different understanding of the underlying values and creates cookie files by default. The server never has intent to deceive or mislead recipients, or any Internet to the user’s computer (generally into files of a temporary na- technology. One such example is the case of Blumofe v. Phar- to look inside a users’ machine, the machine broadcasts the access service, as to the origin of such messages, ture). In the case of an e-mail bug, the user either requests matrak. (Blumofe v. Pharmatrak, Inc. (In re Pharmatrak Privacy information that it wants the server to know. Of course, one (3) materially falsifies header information in multiple that particular messages be downloaded and examined (usually Litig.), 329 F.3d 9, 21 (1st Cir. 2003)). In the Pharmatrak case, wonders how this court would expect any information to go from commercial electronic mail messages and intentionally in e-mail accounts based off of bulletin boards or web mail), users’ personal information had been gathered from a tracking one computer to another that would not be transmitted by the initiates the transmission of such messages, or directs his or her e-mail software to download all e-mail program that surreptitiously transmitted information about users’ computer that contains it. Browsing files online is considered (4) registers, using information that materially falsifies messages directed to a particular user account (which is more web browsing activity to a third party, using a cookie file to en- accessing them (on whatever machine they reside on in physical the identity of the actual registrant, for five or more common among standard desktop e-mail clients, like Microsoft hance the information from a web bug in just the sort of manner reality), and altering them certainly is, as well. And yet, in each electronic mail accounts or online user accounts or two Outlook). Either way, the user’s action of reaching out for the that is being discussed here. In that instance, the court found case, the server merely receives information from the visiting or more domain names, and intentionally initiates the e-mail or web page in question is strong evidence that the user that the “websites gave no indication that use meant consent to computer and then transmits or alters data on its own. What’s transmission of multiple commercial electronic mail mes- has authorized the transmission and acceptance of those things collection of personal information by a third party. Rather, [the the difference between a user downloading a text file, altering sages from any combination of such accounts or domain that one might commonly expect to find on web pages and in information gatherer’s] involvement was meant to be invisible to it, and causing the host computer to save it, and the same user names, or e-mails. In this case, that includes picture files. (For that matter, the user, and it was. Deficient notice will almost always defeat receiving information from a text file on a computer, then passing (5) falsely represents oneself to be the registrant or the some e-mail clients, like Microsoft’s Outlook 2003, ship with a a claim of implied consent.” (They were applying the ECPA, the computer updated information to modify the text file through legitimate successor in interest to the registrant of 5 or default setting that will not download images in e-mail unless but the issue of consent applies equally to both statutes.) a command given to a program already running on that computer more Internet Protocol addresses, and intentionally initi- users pointedly authorize it in each case.4) While they might be (in other words, through sending a URL to its browser)? ates the transmission of multiple commercial electronic placed for the purpose of tracking the visitors to a web page From the line of reasoning used in Pharmatrak, the use of cook- mail messages from such addresses,or conspires to do or viewers of an e-mail, there is nothing out of the ordinary ies without giving realistic notice to users would always be a In the end, this puts the officer in a tricky position. The courts so, shall be punished as provided in subsection (b). about the image files themselves. The user’s downloading of violation of the Computer Fraud and Abuse Act. This isn’t such simply haven’t settled the matter yet. The entirety of the ar- the e-mail that they are in implies his or her authorization for an unusual result from some points of view, as the placing of a guments either for or against treating the use of cookies as a Is it possible that an e-mail with a web bug in it might run afoul the e-mail and related files to access the computer in question text file (in this case, a cookie) on someone’s machine violation of the Computer Fraud and Abuse act hinge upon how of this statute? Sure. Some online undercover operations might in the way that such images customarily do. Since the access can be seen as a form of accessing the machine and, the particular judge ruling on the case understands some fairly involve “an intent to deceive… recipients… as to the origins of inherent in the transmission of the initial web bug appears to if the user never knew about it, the user clearly never technical details about how computers and cookies work. But, such messages,” for example. It’s hard to think of times when be authorized, our analysis can turn to the cookie file. authorized it. This assumption of a lack of authoriza- that aside, a reasonable compromise might be to say that the sending multiple commercial emails during the course of an tion is further bolstered by the fact that, if the users had use of cookies most likely does not violate the Computer Fraud investigation would be a good idea (even if you’re just trying Cookies are something that a user can elect to allow or not. Users known about the cookie and what was being done with it, and Abuse act when no attempt is made to bypass the section to publicize a honeypot, you run into entrapment issues pretty can even elect a middle ground where some sorts of cookies are they likely would not have agreed to it. That’s fine as far as of a user’s privacy settings that detail which sorts of cookies they quick), but our focus here is only on whether web bugs would 48 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 49 be penalized by the statute. The short answer? No. While the other between the Web user and Pharmatrak.” This transmission from (or created by means of computer the statute prohibits certain sorts of e-mail that web bugs might argument fails for two reasons. First, as a matter of law, The big question, then, is how that applies to web bugs. On the processing of communications received by means of find themselves in, the inclusion of web bugs (by itself) doesn’t even the circuits adopting a narrow reading of the Wiretap one hand, no one installed anything special on anyone’s computer electronic transmission from), a subscriber or customer seem to affect anything that would trigger the statute. Act merely require that the acquisition occur at the same to record which computers make connections and request file of such service; time as the transmission; they do not require that the ac- transfers. That’s automatic. You don’t have to install any sort (B) solely for the purpose of providing storage or com- The Electronic Communications Privacy Act (18 USC quisition somehow constitute the same communication as of special program or device to get the routing information. The puter processing services to such subscriber or customer, § 2511. Interception and disclosure of wire, oral, or the transmission. Second, Pharmatrak acquired the same provider of the service installed the pen register or trap and trace if the provider is not authorized to access the contents electronic communications prohibited) URL query string (sometimes containing personal informa- device (in this case, the programs on the computer), and they’re of any such communications for purposes of providing The crux of the ECPA’s application to web bugs is in the follow- tion) exchanged as part of the communication between the allowed to since it relates to the operation and maintenance of any services other than storage or computer process- ing sections of the statute: pharmaceutical client and the user. Separate, but simultane- the service. You were simply allowed to look at the information ing; and any person who-- ous and identical, communications satisfy even the strictest that their trap and trace device routinely captured (3) a provider of remote computing service or electronic (a) intentionally intercepts, endeavors to intercept, or procures real-time requirement. communication service to the public shall not knowingly any other person to intercept or endeavor to intercept, any (Blumofe v. Pharmatrak, Inc. (In re Pharmatrak Privacy Litig.), On the other hand, the web bug itself could be seen as an divulge a record or other information pertaining to a sub- wire, oral, or electronic communication 329 F.3d 9, 22 (1st Cir. 2003)) integral part of a pen register or a trap and trace device. From scriber to or customer of such service (not including the a higher-level viewpoint, the pen register or the trap and trace contents of communications covered by paragraph (1) or shall be punished… It’s good reasoning and it’s fairly unambiguous, even in a field as device used in a web-bugged e-mail isn’t the computer’s auto- (2)) to any governmental entity. (c) It shall not be unlawful under this chapter [18 USCS murky as the real-time acquisition of electronic communications. mated log programs alone- it’s the combination of the logging §§ 2510 et seq.] for a person acting under color of law to We, point blank, cannot use web bugs to intercept communica- system and the web bug. After all, the e-mail could hardly be (b) Exceptions for disclosure of communications. A provider intercept a wire, oral, or electronic communication, where tions without treating them like the wiretaps that they would, at traced without the web bug itself! From that point of view, there described in subsection (a) may divulge the contents of a such person is a party to the communication or one of that point, functionally be. are no applicable exceptions to the statute. communication-- the parties to the communication has given prior consent (1) to an addressee or intended recipient of such com- to such interception. As mentioned earlier, though, this doesn’t mean that we can’t Unfortunately, this particular point hasn’t been raised in a higher- munication or an agent of such addressee or intended use web bugs to pass information- it simply means that any level court yet at all. For now, it might be best to assume that recipient; … First, let’s look at that last bit- it’s not unlawful for an information that we pass has to be original! Generating a the rule applicable to pen registers generally apply equally to (3) with the lawful consent of the originator or an addressee investigating officer to intercept an electronic com- message is different from intercepting one. web bugs, and the safe bet is to obtain a court order like you or intended recipient of such communication, or the sub- munication if they’re a party to it, or one of the would for any other pen register or trap and trace device. scriber in the case of remote computing service; parties has given permission. That’s particularly handy Pen Registers and Trap and Trace Devices (18 USC because, when it comes to web bugs, we can assume § 3121. General prohibition on pen register and trap This leaves us in a fairly unusual position, though. If the web So let’s start at the top- what are “electronic communications ser- that we always have permission from one of the parties- the and trace device use; exception) bug doesn’t pass any content information, it can be classified vices” and “remote computing services”? From section 2711(2) server that they’re downloading the web bug from. So, since the In many ways, web bugs act a great deal like pen registers and as a pen register or a trap and trace device, and an officer of that same chapter, we get that: officer is the one who placed the bug and, presumably, either trap and trace devices. might be required to get a court order before using one. On “remote computing service” means the provision to the the officer is hosting the image him- or herself or has enlisted the other hand, if it passes content information, it’s not a pen public of computer storage or processing services by means someone else (who would consent to the interception) to do A pen register is “a device or process which records or decodes register or a trap and trace device anymore, but a wiretap. As of an electronic communications system; it, we can usually stop here. dialing, routing, addressing, or signaling information transmitted by a wiretap (governed by the ECPA), you have the permission of an instrument or facility from which a wire or electronic commu- one of the users (the recipient of the request to transfer the And from section 2510(15) of the preceding chapter (incorporated Even this level of analysis might not be necessary, however. nication is transmitted, provided, however, that such information file) to intercept the message, if it can even be classed asan by reference in the statute’s definitions), we get that: Another salient point is that we’re not interested in the informa- shall not include the contents of any communication.” interception. As such, no special legal process is needed. Odd, “electronic communication service” means any service which tion while it is “in flight.” For that matter, we’re often not even isn’t it? Of course, the pen register and trap and trace statute provides to users thereof the ability to send or receive wire interested in the contents of the communication. Often, all we’re A trap and trace device is “a device or process which captures also has a consent exception, but it only applies to users of a or electronic communications; doing is looking at an automated log entry generated when the the incoming electronic or other impulses which identify the origi- service consenting to the provider of the service using a trap communication happened, not the communication itself. We’re nating number or other dialing, routing, addressing, and signaling and trace or pen register device. Since that only helps us if Do either of those concepts apply to our situation? An “electronic looking at the phone bill, not the phone call. information reasonably likely to identify the source of a wire or the web bug isn’t seen as part of the overall device, and, if communications system” is defined (in 18 USC § 2510(14)) as: electronic communication, provided, however, that such informa- that’s true, we already have a better exception (that the device “any wire, radio, electromagnetic, photooptical or photo- Things get messier when we pass information, like cookies, through tion shall not include the contents of any communication.” relates to the operation and maintenance of the computer), it’s electronic facilities for the transmission of wire or electronic the web bug. Now we’re looking at the content. In its most of little value to us. communications, and any computer facilities or related elec- basic form, there seems to be no basis for worry that passing So, insofar as the web bug isn’t capturing the con- tronic equipment for the electronic storage of such com- information through web bugs might be seen as an interception- tents of any communication, it looks like it’s likely The Stored Communication Act munications;” the computer pointedly sent the information (even without user either a trap and trace device or a pen register. The Stored Communication Act (18 USC § 2701 et seq.) regu- knowledge) to the web bug’s server. The server received the Fine. And, according to the statute: lates access to communications stored on computers incident to But, in transmitting images and maintaining a database on our information and recorded it. Later, an officer reads it. A message transmission (as opposed to protecting the communications while cookies, are we providing computer storage or processing services that is actually delivered to its intended target can hardly be said Except as provided in this section, no person may install or they’re en route, which is regulated by the Wiretap Act). The through the system? To the limited extent that we’re doing to be intercepted, even if it’s later given to someone else. use a pen register or a trap and trace device without first part of the act that comes into focus when discussing cookies any sort of processing or storage, it clearly isn’t being provided obtaining a court order under section 3123 of this title [18 is § 2702, voluntary disclosure of customer communications or “to the public”, so it looks like we’re not operating a remote However, web bugs are sometimes used to pass information USCS § 3123] or under the Foreign Intelligence Surveillance records. It reads, in pertinent part: computing service. that is simultaneously being communicated to some other web Act of 1978 (50 U.S.C. 1801 et seq.) .… page (such as the one on which the web bug is hidden) where Exception. The prohibition of subsection (a) does not apply (a) Prohibitions. Except as provided in subsection (b) or (c)- That dealt with, let’s turn our attention to electronic commu- we don’t have consent to intercept the message. In that case, with respect to the use of a pen register or a trap and trace (1) a person or entity providing an electronic communica- nication services. The web bug and the information stored in a violation of the statute is much more likely. This exact issue device by a provider of electronic or wire communication tion service to the public shall not knowingly divulge to any a cookie file are both examples of electronic communications. came up in the earlier-referenced case of Blumofe v. Pharmatrak, service-- person or entity the contents of a communication while in And it seems a little odd to argue that we are not providing to where Pharmatrak used web bugs that passed information that (1) relating to the operation, maintenance, and testing electronic storage by that service; and our users the ability to send or receive these communications clients entered on some pharmaceutical sites to Pharmatrak’s of a wire or electronic communication service or to the (2) a person or entity providing remote computing service when that is, in fact, exactly what the system is designed to servers. As the court there said: protection of the rights or property of such provider, or to the public shall not knowingly divulge to any person or do (even though the statute was originally conceived to cover Pharmatrak argues that there was no interception because to the protection of users of that service from abuse of entity the contents of any communication which is carried e-mail providers, but courts are having to stretch the old stat- “there were always two separate communications: one be- service or unlawful use of service; or maintained on that service-- utes a little to fit new situations). So, by configuring a server to transmit an image and to transmit and receive cookie data, tween the Web user and the Pharmaceutical Client, and (A) on behalf of, and received by means of electronic Continued on page 58 50 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 51 botnets have been used to facilitate other criminal activity. A botnet is a collection of compromised computers under the remote IC3 Alert Tips command and control of a criminal “botherder.” Most owners of Be cautious when responding to requests or special the compromised computers are unknowing and unwitting victims. offers delivered through unsolicited e-mail: They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as • If you know someone who is involved with IC3 ALERTS this type of correspondence, encourage identity theft, denial of service attacks, phishing, click fraud and the mass distribution of spam and spyware. Because of their them to contact their local FBI. widely distributed capabilities, botnets are a growing threat to • Do not respond to any unsolicited (SPAM) national security, the national information infrastructure, and the incoming e-mails. JUSTICE DEPARTMENT ALERTS PUBLIC ABOUT THE INTERNET CRIME COMPLAINT CENTER HITS economy. FRAUDULENT SPAM EMAIL 1 MILLION! • Guard your account information carefully. Justice Department Urges Public Not to Respond to E-mail July 13, 2007 -Fairmont, WV - The Internet Crime Complaint “The majority of victims are not even aware that their computer July 27, 2007 -Washington, D.C. - The Department of Justice Center (IC3) has logged its 1 millionth consumer complaint has been compromised or their personal information exploited,” • Keep a list of all your credit cards and has recently become aware of fraudulent spam e-mail messages about alleged online fraud or cyber crime. The 1 millionth said FBI Assistant Director James Finch, Cyber Division. “An attacker account information, along with the claiming to be from DOJ. Based upon complaints from the public, complaint hit the IC3 system on June 11th, 2007 at 1:26 PM. gains control by infecting the computer with a virus or other card issuer’s contact information; if your it is believed that the fraudulent messages are addressed “Dear malicious code and the computer continues to operate normally. monthly statement looks suspicious or Citizen.” The messages are believed to assert that the recipients IC3 is a partnership between the Federal Bureau of Investigation Citizens can protect themselves from botnets and the associated you lose your card(s), contact the issuer or their businesses have been the subject of complaints filed (FBI) and the National White Collar Crime Center (NW3C). schemes by practicing strong computer security habits to reduce immediately. with DOJ and also forwarded to the Internal Revenue Service. In risk that your computer will be compromised.” • Be skeptical of individuals representing addition, such e-mail messages may provide a case number, and IC3’s mission is to serve as a vehicle to receive, develop and The FBI also wants to thank our industry partners, such as the themselves as members of well known state that the complaint was “filled [sic] by Mr. Henry Stewart.” refer criminal complaints regarding the rapidly expanding arena of Microsoft Corporation and the Botnet Task Force, in referring criminal charitable organizations asking for your A DOJ logo may appear at the top of the e-mail message or in cyber crime. The IC3 gives the victims of cyber crime a convenient botnet activity to law enforcement. monetary aid. an attached file. Finally, the message may include an attachment and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and that supposedly contains a copy of the complaint and contact • To ensure contributions to U.S. based non- regulatory agencies at the federal, state, local and international Cyber security tips include updating anti-virus software, installing a information for Mr. Stewart. profit organizations are received and used level, IC3 provides a central referral mechanism for complaints firewall, using strong passwords, practicing good e-mail and web for intended purposes, go directly to the THESE EMAIL MESSAGES ARE A HOAX. DO NOT RESPOND. involving Internet related crimes. security practices. Although this will not necessarily identify or remove a botnet currently on the system, this can help to prevent recognized charities and aid organizations’ The Department of Justice did not send these unsolicited e-mail The Internet Crime Complaint Center went operational in May future botnet attacks. More information on botnets and tips for Web sites, as opposed to following links messages — and would not send such messages to the public 2000 as the Internet Fraud Complaint Center (IFCC). However, cyber crime prevention can be found online at www.fbi.gov. provided in e-mails. via e-mail. Similar hoaxes have been recently perpetrated in the in December, 2003, the IFCC was renamed the Internet Crime The FBI will not contact you online and request your personal • Attempt to verify the legitimacy of non- names of various governmental entities, including the Federal Complaint Center to better reflect the broad character of such information so be wary of fraud schemes that request this type of profit organizations by utilizing various Bureau of Investigation, the Federal Trade Commission and the criminal matters having a cyber (Internet) nexus. information, especially via unsolicited emails. To report fraudulent Internet-based resources which may Internal Revenue Service. E-mail users should be especially wary activity or financial scams, contact the nearest FBI office or police assist in confirming the existence of the of unsolicited warning messages that purport to come from U.S. Since it began, IC3 has referred 461,096 criminal complaints to department, and file a complaint online with the Internet Crime organization, as well as its non-profit governmental agencies directing them to click on file attachments federal, state and local law enforcement agencies around the country Complaint Center, www.ic3.gov. status. or to provide sensitive personal information. for further consideration. The vast majority of cases were fraudulent in nature and involved financial loss on the part of the complainant. To date, the following subjects have been charged or arrested in • Be skeptical of e-mails appearing to be These spam e-mail messages are bogus and should be immediately The total dollar loss from all referred cases of fraud was estimated to this operation with computer fraud and abuse in violation of Title from reputable institutions you recognize deleted. Computers may be put at risk simply by an attempt to be $647.1 million with a median dollar loss of $270 per complaint. 18 USC 1030, including: or have accounts with that have minor examine these messages for signs of fraud. It is possible that by Many of these complaints involved reports of identity theft, such as  James C. Brewer of Arlington, Texas, is alleged to mis-spellings or slightly incorrect grammar “double-clicking” on attachments to these messages, recipients loss of personal identifying data, unauthorized use of credit cards have operated a botnet that infected Chicago area (similar to the way that someone who does will cause malicious software – e.g., viruses, keystroke loggers, or or bank accounts, and the like. Information from the non-criminal hospitals. This botnet infected tens of thousands of not speak English as their native language other Trojan horse programs – to be launched on their computers. complaints received has been used to detect emerging trends computers worldwide. (FBI Chicago); would speak or write). Do not open any attachment to such messages. Delete the e- and proactively work to avoid consumer victimization using the mail. Empty the deleted items folder. resources of project partners and the consumer education Web • Do not be led astray by your emotional  Jason Michael Downey of Covington, Kentucky, is charged site LooksTooGoodToBeTrue.com.  desires for companionship. If you have received this, or a similar hoax, please file a complaint with using botnets to send a high volume of traffic to at www.ic3.gov. Within the complaint, please list “DOJ Spoof intended recipients to cause damage by impairing the • Be leery of e-mails claiming to show E-mail” in the “Business Name” field of the complaint, where OVER ONE MILLION POTENTIAL VICTIMS OF BOTNET availability of such systems. (FBI Detroit); and pictures of disaster areas in attached files, complainants are directed to place the name of the business CYBER CRIME as the files may contain viruses; only open uly 13, 2007 - Washington, D.C. – Today the Department of which has victimized them, as this will allow the IC3 to easily J  Robert Alan Soloway of Seattle, Washington, is alleged attachments from known senders. retrieve and process these complaints. Justice and FBI announced the results of an ongoing cyber crime to have used a large botnet network and spammed initiative to disrupt and dismantle “botherders” and elevate the tens of millions of unsolicited e-mail messages to • Be skeptical of individuals representing Consumers can learn more about protecting themselves from public’s cyber security awareness of botnets. OPERATION BOT advertise his Web site from which he offered services themselves as Nigerian or foreign malicious spyware and bogus e-mails at OnGuardOnline.gov, a ROAST is a national initiative and ongoing investigations have and products. (FBI Seattle) government officials asking for your help Web site created by the Department of Justice in partnership identified over one million victim computer IP addresses. The in placing large sums of money. with other federal agencies and the technology industry to help FBI is working with our industry partners, including the Computer The FBI will continue to aggressively investigate individuals that consumers stay safe online. The site features modules on spyware Emergency Response Team Coordination Center at Carnegie Mellon conduct cyber criminal acts.  • Do not believe the promise of large sums and phishing, at http://onguardonline.gov/spyware.html and http:// University, to notify the victim owners of the computers. Through of money for your cooperation. q onguardonline.gov/phishing.html. q this process the FBI may uncover additional incidents in which 52 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 53 NW3C Hosts Outreach Seminar The next Outreach event will take place in are receiving from agencies throughout the in Tarrytown, New York Albuquerque, New Mexico. See the back United States. During the past year we were cover for more information. q able to schedule just 22% of the courses n April 18th, law enforcement of- that were requested with some agencies ficials attended NW3C’s Outreach NW3C has Steady Rise in waiting as much as three years to host the Shawnee County Veterinarian, The Office of the Kansas Securities Com- The Office of the Kansas Securities Com- Demand for Training course that they have requested. O Seminar in Tarrytown, NY. The Donald Atteberry, Guilty of missioner was first made aware of the cattle missioner is charged with administration one-day event was attended by 162 law embryo transfer program after Atteberry placed and enforcement of the Kansas Uniform enforcement members and featured lectures W3C has seen a steady increase For more information about NW3C’s current March 26, 2007 an advertisement soliciting investments in a Securities Act under Chapter 17 of the on such topics as Identity Theft, Phishing in the demand for our financial in- training courses, visit www.nw3c.org. q Kansas City newspaper. After determining Kansas Statutes. The Office investigates and and Tools, Tricks and Techniques used by N vestigation and intelligence analysis TOPEKA, KS -- Kansas Securities Commis- that Atteberry and the investment were prosecutes securities fraud, the offer or sale Cyber Criminals. courses over the last few years. NW3C to Receive NESPIN sioner Chris Biggs announced not registered in Kansas, the Securities of unregistered securities and the offer or Partnership Award today that on Monday, March Commissioner issued an Emergency sale of securities by unlicensed stockbrokers That demand saw a marked increase dur- 26, Berryton resident Donald Cease and Desist Order or investment advisers. For more informa- ing the last fiscal year (July 2006 – June W3C was chosen G. Atteberry, 52, pleaded no in October 2001, order- tion and investor education resources, visit 2007). During the previous fiscal year, to receive the New contest in Shawnee County ing Atteberry to stop all http://www.securities.state.ks.us. q attendance at most courses grew, as il- NEngland State Po- District Court to 36 felony investment solicitations lustrated by the graphic below. lice Information Network counts related to violations and sales. LAREDO TRUCK DRIVER SENTENCED (NESPIN) Partnership Award of the Kansas Securities Act. TO PRISON FOR DISTRIBUTING for providing outstanding, Atteberry was found guilty and It was later discovered CHILD PORNOGRAPHY innovative and relevant convicted of eight felony counts that Atteberry continued March 6, 2007 training and services to the each of securities fraud, failure to operate the same Law Enforcement Community and NESPIN Left to Right: Don Brackman, Director, to register as a broker, dealer, investment program in LAREDO, TX– Abel C. Lucio, 55, has been NW3C; Janet DiFiore, District Attorney, West- members. or agent and offer or sale of violation of the 2001 sentenced to almost eight years in federal chester County; and Thomas Belfiore, Com- unregistered securities. Atte- Order. In May 2005, prison without parole and ordered to reg- missioner and Sheriff, Westchester County. The award will be presented to NW3C berry was also convicted of The Kansas Securities ister as a sex offender for distributing child during the NESPIN Annual Conference, ten felony counts of violation Commissioner issued pornography, United States Attorney, Don Opening remarks were presented by which will be held on September 11-13, of an administrative order of a second Cease and DeGabrielle, Jr., announced today. Thomas Belfiore, Commissioner/ Sheriff of 2007 at the Radisson Hotel in Nashua, the Securities Commissioner, and two felony Desist Order, and staff later began a criminal Westchester County Department of Public New Hampshire. counts of theft by deception. Sentencing investigation. Atteberry was found guilty United States District Judge Micaela Alvarez Safety, Janet DeFiore, District Attorney of is scheduled for June 21, 2007. of the ten felony counts of violation of sentenced Lucio to a 95 month term of Westchester County and Don Brackman, Honorees of the Partnership Award are chosen an administrative order based on conduct imprisonment to be followed by a three Director of NW3C. NW3C instructed 46 financial investigation from a ten person committee, composed The 36 felony convictions resulted from At- that occurred after he was served with the year term of supervised release during which and intelligence analysis courses during the of managers from each section at NESPIN. teberry, a licensed veterinarian at the time of administrative orders. Lucio has been ordered to register as a sex Presenters during the outreach event in- period. Many of the courses that were Each section submitted the names of three the offenses, soliciting more than $1,300,000 offender, participate in a sex offender/mental cluded Chris Nelson, Senior Investigator, presented were requested by our voting agencies that have been used for services dollars from eight Kansas investors for invest- At sentencing, Atteberry faces up to 86 health program, avoid direct and indirect Jefferson County Sheriff’s Office (Golden, member agencies. There is no fee for within the last year. ment in a fictitious cattle embryo transfer months in prison and restitution to victim contact with minors and not to possess or CO); Charles Cohen, First Sergeant, Indiana voting member agencies to attend our train- program. Investors were issued promissory investors of over $940,000. The maximum have access to computer or the Internet State Police; and Mark Gage, Deputy Direc- ing course and associate members can NESPIN is a part of the Regional Infor- notes and advised by Atteberry that for their fines for each count range from $100,000 except for specified purposes. tor, NW3C. attend the course at a reasonable cost of mation Sharing Systems (RISS). The RISS investment they would receive a return of 5- to $300,000 per count. Pursuant to the $225 - $275. Class size is limited by the program is an innovative law enforcement 15% within one to six months. The monies Kansas Sentencing Guidelines and special Lucio’s conviction is the result of an inves- resources that we have, at approximately program that receives federal funding to were to be used to freeze cattle embryos provisions of the Kansas Securities Act, the tigation initiated by the Federal Bureau of 25 students per class. During the period support regional law enforcement efforts for shipment to Europe. The investigation penalties for 29 of the charges are pre- Investigation (FBI) in 2002. The FBI later 138 prospective participants were turned to combat terrorist activity, illegal drug traf- showed that the money was not invested sumptive imprisonment. obtained additional information from state away due to limits that were set based ficking, organized criminal activity, criminal in an embryo transfer program, but was investigations in Maryland and in Texas in- on budget and facility. gangs, violent crime, and other regional used in part to make interest payments The investigation and prosecution of At- volving the same person distributing child criminal priorities and to promote officer to earlier investors in what is commonly teberry was done with the assistance and pornography via the Internet using the screen Several of the courses were expanded to safety. On national-scope issues, the six known as a “Ponzi” scheme. The money cooperation of Robert Hecht, District Attor- names “ACHot4UNTX,” “Achot4u,” and “ta- accommodate the demand, where appropriate, regional centers initiate joint, cross-center was also converted to Atteberry’s personal ney of the Third Judicial District, Shawnee batha598.” The FBI’s investigation focused NW3C Outreach seminars are free and in- resulting in the instruction of 34 additional efforts, coordinating and cooperating as use and was spent on, among other things, County, Kansas. upon identifying and locating the person tended for a law enforcement audience. participants. We are currently meeting a one body. q gambling at area casinos. behind the screen names. small percentage of the requests that we

54 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 55 looked at the check and observed two The person using the screen name Achot4u General, the Maryland State Police’s Internet charged in state court after the women different cities carrying the same zip code. Internet Scams, Cons and Theft was responsible for sending five images of Crimes Against Children Task Force, the participated in the closing of the “sale” The clerk, believing the check fake, noti- child pornography to an adult female in a Carroll County Sheriff’s Office, and was at the Suffolk County Registry of Deeds Continued from page 38 fied a manager who in turn called the computer “chat room” in April 2002. Several prosecuted by Assistant United States At- on January 23, 2007. They were initially law enforcement agencies across the globe police. Before the police arrived, the months later, in August 2002, the person torney Diana Song. q charged in state court; the Suffolk County and assist with coordinating investigative subject walked out of the store leaving using the screen name “ACHot4UNTX” en- District Attorney dismissed those charges efforts. q the check and driver license behind. A tered a chat room, began talking with an THREE DEFENDANTS ARRESTED IN today in favor of federal prosecution. driver license seized during the execution undercover Maryland police officer posing REAL ESTATE SCAM References of the search warrant was a duplicate of as a thirteen-year-old girl, and ultimately April 13, 2007 All three defendants appeared in federal the license left behind in Washington. The sent three child pornographic images to court on the charges yesterday afternoon 1. De Becker, Gavin. 1999. The Gift of Fear. check information; routing number, account the undercover officer believing he had BOSTON, MA - A Sharon before a U.S. Magistrate Delta Publishing, New York, NY. number, name of bank and name of ac- sent them to the thirteen-year-old girl. The man and two women ac- Judge. LAMERIQUE count holder was information found in the 2. Friedberg, Jeffrey. 2005. Internet Fraud images depicted adult males performing complices were arrested will remain in custody black file box found during the execution pending the outcome Battlefield. Retrieved from http://72.14.209.104 sexual acts on children ranging in age from yesterday on conspiracy and /search?q=cache:mXTNMZ7ak50J:download. of the warrant. an estimated four years to seventeen years. identity theft charges. of the case. BONAS and LESSEGUE re- microsoft.com/download/b/5/6/b566cdf9- The young girls depicted in two of the im- a3d5-43a3-b756-7d23e34be7d8/battlefield. Why is this case so unique and complex? main in custody until ages distributed were later identified by the United States Attorney Mi- doc+Internet+Fraud+Battlefield&hl=en&ct=cl The subjects had enough information on terms for their release National Center for Missing and Exploited chael J. Sullivan; Suffolk nk&cd=1&gl=us April 3, 2007. Microsoft Cor- the unwary victim to make fake identifica- can be arranged. If Children as known sexually exploited child County District Attorney poration tion cards and complete credit applications. victims. Daniel Conley; Colonel convicted, each de- When the business would conduct the credit Mark Delaney, Superinten- fendant faces up to 3. FraudAid. What a Con Artist Looks for in check, the return was favorable. After all, On June 5, 2006, the FBI’s investigation dent of the Massachusetts 5 years in prison on a Scam Victim. Retrieved 4/10/2007 from the subjects had the victim’s credit report identified the man behind the screen names State Police; Commissioner Edward Davis the conspiracy charge, and up to 15 years http://www.fraudaid.com/What-a-Con-artist- and credit score. They did not worry if Looks-For-in-a-Scam-Victim.htm and responsible for distributing the child of the Boston Police Department; Peter on the identity theft charge, to be followed the application was approved or not. They by 2 years of supervised release and fines pornography via the Internet as Abel C. Zegarac, Inspector in Charge of the U.S. 4. FraudAid. Profile of a Con Artist. Retrieved had enough identifying information they of $250,000 on each count. Lucio, a commercial truck driver from Lar- Postal Inspection Service; Steven D. Ricciardi, 4/10/2007 from http://www.fraudaid.com/ could pick and choose at random. Even edo, Texas. Lucio subsequently admitted to Special Agent in Charge of the U.S. Secret profile_of_a_con_artist02.htm if stopped by law enforcement it would be sending all eight images in 2002 using his Service; Douglas A. Bricker, Special Agent The case was investigated by the Mas- difficult to determine they were lying. personal laptop computer. Additional foren- in Charge of the U.S. Internal Revenue sachusetts Financial Crimes Task Force, an 5. January 2007. United States General Services sic examination of the computer recovered Service, Criminal Investigation; and Warren inter-agency work group consisting of the Administration Federal Information Center Many departments do not have the capa- three suspected child pornographic images T. Bamford, Special Agent in Charge of the U.S. Postal Inspection Service, the U.S. Secret 2007 Consumer Action Handbook bility to view driver license photos in the Service, the Massachusetts State Police, and in allocated areas of the hard drives, and Federal Bureau of Investigation, announced 6. Legends of America’s Old West Legends: field. Imagine how many times these the Boston Police Department. The ongo- fifteen suspected child pornographic images that ANDRE J. LAMERIQUE, 25, of 288 Complete List of Old West Scoundrels. Re- subjects have been able to walk away ing investigation also involves the Federal in the unallocated areas of the hard drives. N. Main Street, Sharon, PA, CARMELLA trieved April 10, 2007 from http://www.leg- from law enforcement because of this! Lucio was convicted after pleading guilty to F. LESSEGUE, 25, of 317 Wood Avenue, Bureau of Investigation and the U.S. Inter- endsofamerica.com/WE-ScoundrelList.html Now for the kicker…the ring leader just the federal offense on August 7, 2006. Hyde Park, MA, and JUDY A. BONAS, 527 nal Revenue Service, Criminal Investigation. turned 22. W. 157th Street, New York City, NY, were The case is being prosecuted by Assistant 7. Ritter, Nancy M. November 2006. Preparing Lucio, who has been in federal custody arrested yesterday on a federal criminal U.S. Attorney Victor A. Wild in Sullivan’s for the Future: Criminal Justice in 2040. Na- During an interview with the ringleader, tional Institute of Justice No. 255. since his arrest in August 2006, and will complaint charging them with conspiracy Economic Crimes Unit. she admits learning the trade at 18 and remain in federal custody to begin serving to use stolen identifications to finance The details contained in the complaint are 8. Taflinger, Richard F. PhD. 1996. Taking Ad- stealing hundreds of thousands of dol- his prison term. the fictitious purchase of a residence in allegations. The defendants are presumed to vantage. Washington State University. lars from innocent victims and showing Dorchester, MA. be innocent unless and until proven guilty others how it’s done. One business in This case is being brought as part of Project beyond a reasonable doubt in a court of Nevada has sustained an $800,000.00 loss Safe Childhood, a nationwide initiative According to the affidavit filed in support of law. q Identity Theft: because of them. There are five people designed to protect children from online the complaint, LAMERIQUE constructed a The Complex Criminal involved. One has been arrested by the exploitation and abuse launched in February fictitious “sale” of the home of a Dorchester Continued from page 39 United States Secret Service in Nevada. 2006 by Attorney General Alberto R. Gonzales. woman in order to obtain funds from a The four remaining subjects have been Has Your Agency Two of the three were wanted by the State Led by the United States Attorneys Offices, $440,000 mortgage to finance the pur- arrested here in El Paso. q Completed a Successful of Nevada for Burglary, Uttering Forged Docu- Project Safe Childhood marshals federal, state ported purchase. The complaint alleges White Collar Crime Case? ments, and Failure to Appear, Forgery, Theft and and local resources to better locate, appre- that BONAS used a stolen identification About the Author Identity Theft. The subsequent investigation hend, and prosecute individuals who exploit to pose as the seller of the Dorchester Submit your success story to be revealed the subjects would travel from city to children via the Internet, as well as identify residence and LESSEGUE used a stolen I have been a police officer with the El Paso published in the Informant. city committing fraud. When law enforcement and rescue victims. For more information identification to pose as the buyer. Law Police Department for eight years. I’ve been would get close, they would pack up and about Project Safe Childhood, please visit enforcement learned of the scheme and had assigned to patrol and criminal investiga- Visit for deadlines set up shop in another city. The subjects www.projectsafechildhood.gov/. an undercover Massachusetts State Trooper www.nw3c.org tions. I am currently assigned to the Identity and submission guidelines. have been linked to offenses in Washington, act as the attorney who was supposed to Theft Unit. I have been there for one year Oregon, Arizona and Nevada. This case was investigated by the Federal close the deal. and received training in money laundering, QUESTIONS? Contact Loreal Bond at Bureau of Investigation, the Criminal In- financial investigative techniques, surveillance [email protected]. In Washington, the subjects entered a check vestigations Division of the Texas Attorney All three defendants were arrested and operations and conspiracy investigations. cashing store to cash a check. The clerk

56 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 57 Wireless Network (In) Security 16. If network traffic is encrypted, sniffing of such addressee or intended recipi- the possibility of violating one of the many had access (and which has multiple Continued from page 44 a usable IP address without knowing the Web Bugs ent; … applicable statutes- especially considering user accounts), cookies set by your web encryption key might not be possible. Continued from page 51 that different courts may interpret them to bug should only be visible through the (3) with the lawful consent of the apply to situations quite differently. That’s account of the user who downloaded originator or an addressee or intended somewhat to be expected, but let’s shift them. Or, in the case of multiple us- References 17. Service Set Identifier: the name that is we’re technically running an electronic com- broadcasted identifying the access point. munication service. recipient of such communication, or gears a bit. Even with all those prohibi- ers who also have multiple computers the subscriber in the case of remote tions, what does it look like we can do (such as a work computer, etc), cookie 1. Full news coverage can be found at: “Since a person or entity providing an computing service; with them? Well, there are a number of files appearing on multiple machines http://www.securityfocus.com/news/9281 18. Broadcasted data is sent to all wireless possibilities, but here are at least a few: may help incriminate the appropriate devices in range. electronic communication service to the public shall not knowingly divulge We’re still arguably providing electronic com- suspect(s). (While the unique IDs will 2. Full news coverage can be found at: to any person or entity the contents munication services to the public, even if the • When you put web bugs on profiles of be different, the fact that they exist http://www.chron.com/disp/story.mpl/ 19. Information found in beacon frames of a communication while in electronic data that we’re looking at isn’t in electronic minors (either fictional or victims seeking would be telling.) metropolitan/1302663.html contains information such as supported storage by that service,” storage. So does this mean that we can’t to identify the online predators who data rates, utilization of encryption, and knowingly divulge information relating to are targeting them) that set a unique • When problems exist in getting timely the SSID. We need to look at a few more questions- the customers of such services (that is, identifying value on the computers of help tracing IP addresses through ISPs, 3. Case study details available at: http:// the people who download the web bug) people who view that profiles, you now or when computer-savvy criminals have www.dcd.uscourts.gov/96-1285bj.pdf is the service provided to the public? Is the 20. While SSID cloaking is designed to communication in electronic storage? As for to any government entity? Not at all, so not only have a rough idea of where the used multiple levels of hacked systems long as we have the lawful consent of the viewers’ computers are located (from to insulate them from tracking, bug 4. The relevant statute can be reviewed keep an attacker off a network, enabling the public/private distinction, the general litmus test is, if the resource is only accessible by a addressee (whoever owns the server that the connection logs), but you can gauge information will at least allow evidence at:http://www.gencourt.state.nh.us/legis- this feature will not prevent the attacker hosted the web bug). Since that person, the relative popularity of different sorts gathered through traditional policework from sniffing wireless traffic. closed list of people (even if the list is quite lation/2003/HB0495.html large), it is private, whereas if any member in most investigations, is already working of bait profiles, link one user across to be easily correlated with evidence of the public could access it (even if they with law enforcement in the first place, that many different potential victims (since from the online portion of the investiga- 5. Details can be found at: http://www. 21. The MAC and IP address could possibly would have to pay a fee for the privilege), requirement isn’t very difficult to meet. the unique identifier set by the cookie tion (as, once the physical computer is westchestergov.com/idtheft/wifilaw.htm be determined from the DHCP server. it’s public. Even if we only mail the web bug won’t change), and more easily identify recovered, the unique IDs in its cookies to a few people, any member of the public The Bottom Line suspects who contact victims through can be matched to the online activities Web bugs have not been thoroughly exam- multiple accounts (since the unique that you were bugging). 6. Cantennas for boosting wireless range 22. Shared means each client has the could call it up. So- it’s public. same encryption key. ined in court. How any particular use of a identifier will be the same, unless the can be home-made or purchased at web bug goes over before a judge is going suspect is actually logging onto their Good luck out there. Web bugs can be http://www.cantenna.com Electronic storage, however, is defined a little strangely. 18 USC § 2510(17) defines it as: to come down to the judge, how they view computer as a different user or using a valuable tool for breaking the pseudo- 23. Static means the key never changes. the situation, and how well educated they a different computer) anonymity of cyberspace! q 7. Radio Frequency are on what’s actually happening when a 24. More information regarding the crypto- (A) any temporary, intermediate storage of a wire or electronic communication web bug is in operation. There’s no way • When dealing with suspects who are References: graphic weakness of WEP can be found in 8. Defcon, held annually in Las Vegas, Ne- incidental to the electronic transmission to use web bugs that is guaranteed to be using “anonymous” e-mail services, 1. “Information About Cookies on Microsoft. vada, is the largest hacker convention in “Practical Exploitation of RC4 Weaknesses thereof; and universally seen as acceptable, but their utility hijacked e-mail accounts or remail- in WEP Environments” by David Houlton: is such that not to use them would be to ers, the use of web bugs allows an com: Microsoft.com Cookies FAQ” Microsoft the world, often gathering over five-thou- (B) any storage of such communication Corporation, http://www.microsoft.com/info/ sand individuals from around the globe. http://www.dachb0den.com/projects/ by an electronic communication service seriously handicap investigations. If you have investigator to bypass multiple levels bsd-airtools/wepexp.txt for purposes of backup protection of such the time, obtaining a warrant first is always a of account obfuscation and drill down cookies.mspx, Retrieved August 28, 2006. More information can be found at: http:// great way to go. Of course, much of the directly to the suspect’s computer’s IP www.defcon.org communication; 25. Mileage varies, depending on the wire- information that is required for a warrant will address (since what you’re recording 2. Brain, Marshall “How Internet Cook- be hard to come by, the real utility of web is the suspect’s computer connecting 9. Full coverage at: http://www.wired. less access point. “Temporary, intermediate storage” imagines ies Work” Howstuffworks.com http://www. an e-mail system forwarding an e-mail com- bugs comes precisely when you don’t know to yours to download the image). com/news/technology/wireless/0,68395- who you’re investigating. A court order for howstuffworks.com/cookie2.htm, Retrieved 26. Address Resolution Protocol: Asks for munication through intermediate servers that 0.html would each receive a copy, then forward it on, a pen register/ trap and trace device is also • In cases of suspected conspiracies, an March 19, 2007. the MAC address of a device associated one step closer to its destination. Each copy great, and much easier to obtain. e-mail bug (again, that sets a unique 10. More information can be found at: with an IP address. of the e-mail made on the way, then, would identifier) included in a communication 3. “Query String”, Wikipedia, http://en.wikipedia But… assuming that what most officers to one conspirator can give insight into http://www.kismetwireless.net be temporary (the forwarding servers didn’t .org/wiki/Query_string, Retrieved March 20, 27. Aireplay is a wireless packet-injection in the field really want is a way to use the other members of the conspiracy intend to keep the message, just to pass it 2007 program packaged with aircrack. on), and intermediate (these servers aren’t web bugs without all the muss and fuss when it’s forwarded (at the very least, 11. An Intrusion Detection System (IDS) of obtaining court orders in the first place, it can give us IP addresses for them is a piece of software that watches for de- the destination, just waypoints). So, while 28. Refer back to Table 1. some might argue that the IP and cookie it looks like that’s possible as well. The and whether they are potentially unique 4. “About Protecting Your Privacy by Block- vices or data that indicate a network attack important concern in that case is to use members of the conspiracy or simply or intrusion. information is, to some degree, temporary, the ing Automatic Picture Downloads” Microsoft storage isn’t intermediate. The server hosting cookies or the query strings of URLs, but other aliases maintained on the same 29. Dictionary-based password attacks not to abuse them. Cookies designed to machine). Office Online, http://office.microsoft.com/ take a file containing a dictionary, or list, the information isn’t a waypoint on the way en-us/assistance/HP010440221033.aspx 12. More information can be found at: to somewhere else, it’s the destination. slip past users who have disallowed cer- http://www.aircrack-ng.org of potential passwords and checks each tain cookie types could run afoul of the • An e-mail bug hidden in an e-mail sent Retrieved August 28, 2006 password against the encrypted file. That still leaves us dealing with Computer Fraud and Abuse Act (as it might to a suspect who is in contact with the 13. WEP keys consist of 13 hex pairs, such be seen as accessing a computer without victim via computer can set a cookie 5. “Description of Cookies”, Microsoft Of- permission), and not passing some sort with a unique identifier on the suspect’s as: 01:02:03:04:05:06:07:08:09:0A:0B:0 30. Brute-force password attacks test every (3) a provider of remote computing fice Online,http://support.microsoft.com/ possible combination of letters, numbers, of content might trigger the pen register machine. When the case comes to C:0D service or electronic communication service kb/260971/EN-US/ Retrieved September 6, and symbols until a match is found. While to the public shall not knowingly divulge statute (which, unlike the wiretap statue, trial, the fact that the identifier in the doesn’t have a consent exception that can cookie file on the suspect’s machine 2006. 14. The MAC change only occurs within 100% successful, brute-force password a record or other information pertaining to a subscriber to or customer of such be invoked by parties to the communica- matches the identifier maintained in the the driver; the actual MAC address burned attacks against modern encryption algo- tion). However, while you’re sending content bug’s server’s database as belonging rithms almost always require well beyond a service (not including the contents of 6. Not that it turned out to matter overmuch onto the network card does not change. communications covered by paragraph (1) remember that sending data is fine, but to the incriminating communication is Not all drivers support changing the MAC lifetime of computing to exhaust all possible that capturing communications between further evidence that that computer was in that particular case, as they were looking or (2)) to any governmental entity. only at the civil provisions of the statute- which address. keys. For an example, see the Frequently the user and some other Web site (from used to commit the crime. (Unless Asked Questions (FAQ) sheet on Advanced (b) Exceptions for disclosure of com- whom you don’t have permission to inter- they’ve deleted their cookie files, of require a showing of $5,000 of damages. 15. More network devices may be associ- Encryption Standard (AES), bullet 16: http:// munications. A provider described in cept communications) potentially violates course) Not being able to show that much damage ated to the wireless access point than are csrc.nist.gov/CryptoToolkit/aes/aesfact.html subsection (a) may divulge the contents the Wiretap act. resulting from a single act, their claim was • When attempting to tie an individual displayed by Kismet. Kismet only detects of a communication- dismissed on other grounds. (1) to an addressee or intended recipi- There’s a lot that it looks like you can’t do suspect to a crime committed through and adds devices to the list when they with web and e-mail bugs without running a computer to which several people generate traffic. ent of such communication or an agent

58 i N F O R M a nt : JULY 2007 - DECEMBER 2007 www.nw3c.org 59 Developing your skills is essential to your professional success... Do you have the tools you need?

The 2007 Global Conference on Economic and High-Tech Crime, hosted by the National White Collar Crime Center (NW3C), is fast approaching. We invite you to participate in this year’s event to learn the latest tools and strategies for investigating and prosecuting white collar crimes.

Hyatt Regency Crystal City 2799 Jefferson Davis Highway Arlington, VA 22202 Phone: (703) 418-1234 Fax: (703) 418-1289

Benefits of attending include: Invest in your professional future! • Education- speakers who are investigators, prosecutors, industry Join the ACFE and take advantage of the opportunity to obtain the globally preferred Certified Fraud Examiner (CFE) credential. Be recognized by business and government leaders as an expert in the anti-fraud profession. experts and researchers Why become a CFE? • Technology- exhibitors who support law enforcement and collective • On average, CFEs earn almost 18% more than • The CFE designation is officially recognized non-CFEs, according to the 2006 Compensation for their fraud investigators by the FBI, fraud prevention endeavors Guide for Anti- Fraud Professionals U.S. Department of Defense, Government Accountability Office, Postal Inspection • Networking- attendees are law enforcement personnel, security • In a recent study by Robert Half International, Service and the Royal Canadian Mounted the CFE is listed as one of the most Police professionals, victim services advocates, fraud marketable credentials today investigators, prosecutors and academic professionals specializing in fraud and economic crime Position yourself as one of the most highly sought after individuals in law enforcement. To learn more, visit www.ACFE.com/membership For session descriptions, speaker information and

The Association of Certified Fraud Examiners (ACFE) is a global organization with over 40,000 members in 125 countries dedicated to fighting fraud. Founded by former law enforcement professionals, it is the leading resource for anti-fraud training and educational products, providing practical solutions to professionals engaged in the to register visit: prevention, detection and investigation of corporate fraud. For more information about the ACFE, visit www.ACFE.com. NW3C Electronic Law Enforcement Outreach Seminar April 4, 2008 Albuquerque, New Mexico

Albuquerque Marriott 2101 Louisiana Boulevard NE Albuquerque, NM 87110

Visit www.nw3c.org/outreach for more information on speakers and topics, coming soon!

N O N - P R O F I T ORG. U.S. POSTAGE PAID RICHMOND, VA PERmIT NO. 571